AUTHENTICATED 
US. GOVERNMENT 
INFORMATION ^ 


SECURING CONSUMERS’ DATA: OPTIONS 
FOLLOWING SECURITY BREACHES 


HEARING 

BEFORE THE 

SUBCOMMITTEE ON 

COMMERCE, TRADE, AND CONSUMER PROTECTION 

OF THE 

COMMITTEE ON ENERGY AND 
COMMERCE 

HOUSE OF REPRESENTATDH]S 

ONE HUNDRED NINTH CONGRESS 

FIRST SESSION 

MAY 11, 2005 


Serial No. 109-14 


Printed for the use of the Committee on Energy and Commerce 



Available via the World Wide Web: http://www.access.gpo.gov/congress/house 


U.S. GOVERNMENT PRINTING OFFICE 
21-635PDF WASHINGTON : 2005 


For sale by the Superintendent of Documents, U.S. Government Printing Office 
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 


COMMITTEE ON ENERGY AND COMMERCE 


JOE BARTON, Texas, Chairman 


RALPH M. HALL, Texas 
MICHAEL BILIRAKIS, Florida 
Vice Chairman 
FRED UPTON, Michigan 
CLIFF STEARNS, Florida 
PAUL E. GILLMOR, Ohio 
NATHAN DEAL, Georgia 
ED WHITFIELD, Kentucky 
CHARLIE NORWOOD, Georgia 
BARBARA CUBIN, Wyoming 
JOHN SHIMKUS, Illinois 
HEATHER WILSON, New Mexico 
JOHN B. SHADEGG, Arizona 
CHARLES W. “CHIP” PICKERING, 
Mississippi, Vice Chairman 
VITO FOSSELLA, New York 
ROY BLUNT, Missouri 
STEVE BUYER, Indiana 
GEORGE RADANOVICH, California 
CHARLES F. BASS, New Hampshire 
JOSEPH R. PITTS, Pennsylvania 
MARY BONO, California 
GREG WALDEN, Oregon 
LEE TERRY, Nebraska 
MIKE FERGUSON, New Jersey 
MIKE ROGERS, Michigan 
C.L. “BUTCH” OTTER, Idaho 
SUE MYRICK, North Carolina 
JOHN SULLIVAN, Oklahoma 
TIM MURPHY, Pennsylvania 
MICHAEL C. BURGESS, Texas 
MARSHA BLACKBURN, Tennessee 


JOHN D. DINGELL, Michigan 
Ranking Member 
HENRY A. WAXMAN, California 
EDWARD J. MARKEY, Massachusetts 
RICK BOUCHER, Virginia 
EDOLPHUS TOWNS, New York 
FRANK PALI, ONE, Jr., New Jersey 
SHERROD BROWN, Ohio 
BART GORDON, Tennessee 
BOBBY L. RUSH, Illinois 
ANNA G. ESHOO, California 
BART STUPAK, Michigan 
ELIOT L. ENGEL, New York 
ALBERT R. WYNN, Maryland 
GENE GREEN, Texas 
TED STRICKLAND, Ohio 
DIANA DeGETTE, Colorado 
LOIS CAPPS, California 
MIKE DOYLID, Pennsylvania 
TOM ALLEN, Maine 
JIM DAVIS, Florida 
JAN SCHAKOWSKY, Illinois 
HILDA L. SOLIS, California 
CHARLES A. GONZALEZ, Texas 
JAY INSLEE, Washington 
TAMMY BALDWIN, Wisconsin 
MIKE ROSS, Arkansas 


Bud Albright, Staff Director 

David Cavicke, Deputy Staff Director and General Counsel 
Reid P.F. Stuntz, Minority Staff Director and Chief Counsel 


Subcommittee on Commerce, Trade, and Consumer Protection 
CLIFF STEARNS, Florida, Chairman 

FRED UPTON, Michigan JAN SCHAKOWSKY, Illinois 

NATHAN DEAL, Georgia 
BARBARA CUBIN, Wyoming 


GEORGE RADANOVICH, California 
CHARLES F. BASS, New Hampshire 
JOSEPH R. PITTS, Pennsylvania 
MARY BONO, California 
LEE TERRY, Nebraska 
MIKE FERGUSON, New Jersey 
MIKE ROGERS, Michigan 
C.L. “BUTCH” OTTER, Idaho 
SUE MYRICK, North Carolina 
TIM MURPHY, Pennsylvania 
MARSHA BLACKBURN, Tennessee 
JOE BARTON, Texas, 

(Ex Officio) 


Ranking Member 
MIKE ROSS, Arkansas 
EDWARD J. MARKEY, Massachusetts 
EDOLPHUS TOWNS, New York 
SHERROD BROWN, Ohio 
BOBBY L. RUSH, Illinois 
GENE GREEN, Texas 
TED STRICKLAND, Ohio 
DIANA DeGETTE, Colorado 
JIM DAVIS, Florida 
CHARLES A. GONZALEZ, Texas 
TAMMY BALDWIN, Wisconsin 
JOHN D. DINGELL, Michigan, 

(Ex Officio) 


(II) 



CONTENTS 


Page 

Testimony of: 

Barrett, Jennifer, Chief Privacy Officer, Acxiom Corporation 12 

Buege, Steve, Senior Vice President, Business Information, News and 

Public Records, North American Legal 18 

Burton, Daniel, Vice President of Government Affairs, Entrust, Inc 25 

Ireland, Oliver I., Partner, Financial Services Practice Group, Morrison 

and Foerster, LLP, on Behalf of Visa USA 22 

Solove, Daniel J., Associate Professor of Law, George Washington Univer- 
sity Law School 31 

Additional material submitted for the record: 

ARMA International, prepared statement of 51 

Hillebrand, Gail, Senior Attorney, Consumers Union, prepared statement 
of 53 

(HI) 




SECURING CONSUMERS’ DATA: OPTIONS 
FOLLOWING SECURITY BREACHES 


WEDNESDAY, MAY 11, 2005 

House of Representatives, 

Committee on Energy and Commerce, 

Subcommittee on Commerce, Trade, 

AND Consumer Protection, 

Washington, DC. 

The subcommittee met, pursuant to notice, at 11:05 a.m., in room 
2123 of the Rayburn House Office Building, Hon. Cliff Stearns 
(chairman) presiding. 

Members present: Representatives Stearns, Upton, Cubin, 
Radanovich, Bass, Pitts, Bono, Terry, Rogers, Myrick, Murphy, 
Blackburn, Barton (ex officio), Schakowsky, Ross, Markey, and 
Baldwin. 

Staff present: David Cavicke, chief counsel; Chris Leahy, policy 
coordinator; Will Carty, professional staff; Larry Neal, deputy staff 
director; Billy Harvard, clerk; Kevin Schweers, communications di- 
rector; Lisa Miller, press secretary; Consuela Washington, minority 
counsel; Turney Hall, staff assistant; and Alec Gerlach, staff assist- 
ant. 

Mr. Stearns. Good morning. The subcommittee will come to 
order. My colleagues, today we continue the subcommittee’s exam- 
ination of consumer data security and identity theft. As all of us 
are keenly aware, our important work is set against the backdrop 
of almost daily reports of consumer data, security breaches at data 
brokers, retailers, banks, universities, and the list, of course, goes 
on. It seems like every corner of our economy has been touched. 
Understandably, the public is worried. The reported breaches in- 
volve everything from elaborate high-tech hacker attacks to simply 
theft of physical consumer data that had been poorly secured in the 
first place. 

The consumer impact of these breaches has been just as varied. 
Some cases never result in identity theft or financial loss, while 
others affect significant consumer populations. With some esti- 
mates of those affected ballooning past initial numbers as further 
investigations reveal even larger cracks in the digital infrastruc- 
ture. 

And while our initial assessment of the extent of this problem for 
consumers and businesses is still a bit fuzzy, the cracks and 
vulnerabilities are becoming more apparent to the committee and 
to the public. Questions are starting to be raised about the inher- 
ent security of a large segment of the commercial marketplace. 
This should concern all of us. The committee understands this con- 

( 1 ) 



2 


cern, and to address it, there are a number of issues that need 
careful examination. 

First, we must ensure that existing Federal law does not leave 
open ways for certain entities to skirt the objectives of the primary 
laws governing such areas, including the Fair Credit Reporting Act 
and the Gramm-Leach-Bliley. 

Second, if we determine that existing law is inadequate, we need 
to get a clearer and more accurate assessment of the scope of the 
problem across all sectors, assess the current legal tools we have 
to attack it, and weigh the need for additional regulation and other 
approaches. Other non-regulatory approaches could include apply- 
ing good old American technological ingenuity to buttress current 
consumer data security regulations. 

Throughout this series of hearings, we have heard from a num- 
ber of experts that data security breaches go hand in hand with 
identity theft, a phenomenon that keeps getting larger and more 
insidious. The numbers are sobering. At our March hearing, the 
FTC testified that over 10 million people were victims of identity 
theft during the 1-year period of its latest survey. The FTC esti- 
mated that this figure translates into loss of nearly $48 billion for 
businesses, almost $5 billion for consumers, and close to 300 mil- 
lion hours spent by those individuals and businesses trying to re- 
solve the problems just generated by these crimes. 

We cannot allow our consumer economy to be undermined by 
these criminals. Consumers, businesses, and the public sector 
needs to strengthen defenses collectively. The reality is that the 
bad guys will always be around. It is up to us as consumers, busi- 
nesses, and public institutions to make sure that our data is locked 
down and is accounted for. The best offense to combat identity theft 
is simple prevention coupled with an assurance that entities deal- 
ing in consumer data adhere to consistent and comprehensive secu- 
rity standards with a bite. 

The accessibility and portability of consumer data in an informa- 
tion-driven market has made controlling who has access to what 
more difficult than ever. Consumer data breaches and as a result 
in identity theft continues to grow and affect broader commercial 
activity at all levels, not just a specific industry or a specific sector. 

Consumer data in our modern markets has become a commodity. 
It is bought and sold. It is processed and analyzed. And it is now 
an integral ingredient in disciplines as varied as finance, demo- 
graphics, research, direct marketing, academic study, and law en- 
forcement. I believe the majority of these activities improve our 
lives and well-being. They make us more productive, allow a higher 
standard of living, and afford us better personal and national secu- 
rity, particularly in a post- 9/11 world. 

What it is lacking, my colleagues, however, is a safeguard system 
in which our personal data is shielded by a robust security no mat- 
ter where it goes or whoever possesses it. We need to examine ap- 
proaches that enable robust security measures to surround per- 
sonal data as it speeds through commerce. 

I think this is where advanced technology can play a larger role 
in helping reduce the incidence of identity theft. Technologies like 
sophisticated encryption techniques, advanced password authen- 
tication systems, as well as better and more widespread use of ad- 



3 


vanced data security software all can play an important role in im- 
proving our defenses. Technology can also be used to facilitate more 
uniform best practices in affected sectors that deal in consumer 
data. 

Let me be clear. I do believe that additional measures are nec- 
essary, but for those still undecided, this hearing and the pro- 
ceedings should provide a great deal of information to help every- 
one make a judgment call here. I think it is a fair thing to say that 
one thing is certain — criminals cannot be allowed to capitalize on 
another high-tech nefarious business model to steal and defraud 
American consumers, businesses, and public institutions. We have 
seen this happen with spyware and spam. It can’t be allowed to 
happen here. 

Therefore, our focus needs to be on first, clearly identifying what 
is not working before we act on a national scale. But with each new 
breach we are losing more valuable time to put an end to a new 
breed of professional cyber criminals and the inappropriate and il- 
legal activities that are slowly corroding consumer confidence in 
the integrity of information-driven commerce and technology. 

I would like to thank our distinguished panel for being here this 
morning and for joining us today, and we look forward to your tes- 
timony. With that, the ranking member, Ms. Schakowsky. 

[The prepared statement of Hon. Cliff Stearns follows:] 

Prepared Statement of Hon. Clifford Stearns, Chairman, Subcommittee on 
Commerce, Trade, and Consumer Protection 

Good Morning. Today, we continue the Subcommittee’s examination of consumer 
data security and identity theft. As all of us are keenly aware, our important work 
is set against the backdrop of almost daily reports of consumer data security 
breaches at data brokers, retailers, banks, universities — and the list goes on. It 
seems like every corner of our economy has been touched. Understandably, the pub- 
lic is worried. The reported breaches involve everything from elaborate high-tech 
hacker attacks to simply theft of physical consumer data that had been poorly se- 
cured. The consumer impact of these breaches has been just as varied. Some cases 
never result in identify theft or financial loss while others affect significant con- 
sumer populations, with some estimates of those affected ballooning past initial 
numbers as further investigation reveals even bigger cracks in the digital infrastruc- 
ture. And while our initial assessment of the extent of this problem for consumers 
and businesses is still a bit fuzzy, the cracks and vulnerabilities are becoming more 
apparent to the Committee and to the public. Questions are starting to be raised 
about the inherent security of a large segment of the commercial marketplace. This 
should concern us all. 

The Committee understands this concern. And to address it, there are a number 
of issues that need careful examination. First, we must ensure that existing federal 
law is not leaving open ways for certain entities to skirt the objectives of the pri- 
mary laws governing this area, including the Fair Credit Reporting Act and Gramm- 
Leach-Bliley. Second, if we determine that existing law is inadequate, we need to 
get a clearer and more accurate assessment of the scope of the problem across all 
sectors, assess the current legal tools we have to attack it, and weigh the need for 
additional regulation and other approaches. Other non-regulatory approaches could 
include appl 3 dng good old American technological ingenuity to buttress current con- 
sumer data security regulations. 

Throughout this series of hearings we have heard from a number of experts that 
data security breaches go hand in hand with identify theft — a phenomenon that 
keeps getting bigger and more insidious. The numbers are sobering. At our March 
hearing, the FTC testified that over 10 million people were victims of identity theft 
during the one-year period of its latest survey. The FTC estimated that this figure 
translates into loses of nearly $48 billion for businesses, almost $5 billion for con- 
sumers, and close to 300 million hours spent by those individuals and businesses 
trying to resolve the problems generated by these crimes. We cannot allow our con- 
sumer economy to be undermined by these criminals. Consumers, business, and the 



4 


public sector need to strengthen defenses collectively. The reality is that the bad 
guys will always be around. It is up to us as consumers, businesses, and public in- 
stitutions to make sure that our data is locked down and accounted for. The best 
offense to combat identity theft is simple prevention coupled with an assurance that 
entities dealing in consumer data adhere to consistent and comprehensive security 
standards with bite. 

The accessibility and portability of consumer data in an information-driven mar- 
ket has made controlling who has access to what more difficult than ever. Consumer 
data breaches and resultant identity theft continues to grow and affect broader com- 
mercial activity at all levels, not just a specific industry or sector. Consumer data 
in our modern markets has become a commodity. It is bought and sold. It is proc- 
essed and analyzed. And it is now an integral ingredient in disciplines as varied as 
finance, demographic research, direct marketing, academic study, and law enforce- 
ment. I believe that the majority of these activities improve our lives and wellbeing. 
They make us more productive, allow higher standards of living, and afford us bet- 
ter personal and national security, particularly in a post 9/11 world. What is lack- 
ing, however, is a safeguard system in which our personal data is shielded by robust 
security no matter where it goes or who possess it. We need to examine approaches 
that enable robust security measures to surround personal data as it speeds through 
commerce. 

I think this is where advanced technology can play a larger role in helping reduce 
the incidence of identity theft. Technologies like sophisticated encryption techniques, 
advanced password authentication systems, as well as better and more widespread 
use of advanced data security software all can play an important role in improving 
our defenses. Technology can also be used to facilitate more uniform best practices 
in affected sectors that deal in consumer data. 

Let me be clear, I do believe that additional measures are necessary. But for those 
still undecided, tbis hearing and the preceding ones should provide a great deal of 
information to make a judgment. I think it’s fair to say that one thing is certain — 
criminals cannot be allowed to capitalize on another high-tech, nefarious business 
model to steal and defraud American consumers, business, and public institutions. 
We’ve seen that happen with spyware and spam. It can’t be allowed to happen here. 
Therefore, our focus needs to be on first clearly identifying what is not working be- 
fore we act on a national scale. But with each new breach, we are losing more valu- 
able time to put an end to a new breed of professional cyber-criminal and the inap- 
propriate and illegal activities that at are slowly corroding consumer confidence in 
the integrity of information-driven commerce and technology. 

I would like to thank our distinguished panel of witnesses for joining us today. 
We look forward to your testimony. Thank you. 

Ms. SCHAKOWSKY. Once again I want to thank you, Chairman 
Stearns, for holding a hearing on how we can further protect con- 
sumers from the stealing of their most personal information. We 
need to close the canyon-size gaps in the law that are putting con- 
sumers and their sensitive, private information at serious risk of 
invasion — identity theft and other crimes. 

I look forward to hearing from our witnesses today about their 
ideas of what we can do, and I look forward to working with you. 
Chairman Stearns and Chairman Barton and Ranking Member 
Dingell and Representative Markey and others, on legislation to re- 
store consumers’ control of private information. 

The Privacy Rights Clearinghouse has been keeping an ongoing 
tally of data breaches revealed since news first broke on the 
ChoicePoint incident. In the past 3 months alone we have learned 
that approximately 4,736,400 individuals have had their personally 
identifiable information compromised. Again, that is in just 
months. And those are the cases about which we know. 

The means of access are varied. Computers have been hacked 
and stolen, backup tapes lost, passwords compromised, information 
exposed online, and fake businesses established. And it has not just 
been the data brokers’ stockpiles that have been raided. University 
stores, banks, and government offices have seen their data bases 
breached and their students, alumni, customers, and constituencies 



5 


exposed. If there is personal information to be had, there are crimi- 
nals out to get it from anyplace and in any way they can. 

From the recent wave of breaches we know data insecurity is en- 
demic, and it is time for us to close whatever loopholes there are 
in privacy laws to ensure that consumers are not stuck with the 
short end of the stick as they are now. We need to address privacy 
and data security with comprehensive legislation governing the 
handling and use of personal and consumer information. I believe 
we should explore the possibility of giving consumers the power to 
lock up their information, making it available only when consumers 
give affirmative consent. We should also look into giving consumers 
the opportunity to inspect their information, and if it is not accu- 
rate, then a chance to correct it. We should also place a heightened 
responsibility on record keepers to ensure that they are truthfully 
representing consumers. And we should give victims of lost or sto- 
len information a place to turn, like an office of an omdetsman in 
order to help them through repairing whatever damage has been 
done by their information being compromised. We also need to ex- 
plore the government’s use of information compiled by data brokers 
to make sure that Big Brother is not handing the binoculars to Big 
Business in order to skirt the Privacy Act. 

Inaccuracies can cost people their jobs, insurance, the right to 
vote, good credit histories, or even their lives. I believe that if con- 
sumers have the tools, resources, and the rights to protect their 
personal information, and if companies were held to a higher 
standard of accountability, we would not have 4.7 million letters 
being sent out over 3 months warning consumers that their infor- 
mation could be in the hands of criminals. 

We need to keep in mind that perhaps the only reason we know 
about these breaches is because of tough State laws like Califor- 
nia’s that made sure these breaches were reported. If those compa- 
nies with security breaches had to comply only with Federal legis- 
lation, there is a good chance we would be hearing from more and 
more identity theft victims and had no idea what was going on to 
cause the potential upsurge. 

When we craft the legislation to contend with data insecurity, we 
need to provide a floor and not a ceiling for how personal informa- 
tion is handled and protected. Let the States pressure us to do bet- 
ter instead of us limiting what they can do. 

Again, Chairman Stearns, I look forward to working with you 
and the other members of our committee to do what we can to pro- 
tect consumers. I thank you. 

Mr. Stearns. I thank the gentlelady. The gentlelady from Cali- 
fornia, Ms. Bono. 

Ms. Bono. Thank you, Mr. Chairman. I just would like to thank 
you for holding this hearing, but I will waive an opening statement. 

Mr. Stearns. The gentlelady waives. Mr. Ross, is he here? Ms. 
Baldwin? No. The gentlelady waives. Mr. Pitts, gentleman — waive. 
Mr. Markey? 

Mr. Markey. Thank you, Mr. Chairman, very much. Mr. Chair- 
man, in “Bonfire of the Vanities” the novelist Tom Wolfe wrote 
about “the Bororo Indians, a primitive jungle tribe who live along 
the Vermelho River in the Amazon Jungles of Brazil.” According to 
Wolfe, the Bororos believed that “there is no such thing as a pri- 



6 


vate self.” Instead, they “regard the mind as an open cavity, like 
a cave or a tunnel or an arcade, if you will, in which the entire vil- 
lage dwells and the jungle grows.” Wolfe compared this to the situ- 
ation faced by someone in the middle of a public scandal in the last 
quarter of the 20th century, when he suggested “one’s self — or 
what one takes to be oneself — is not a mere cavity open to the out- 
side world but has suddenly become an amusement park to which 
everybody, todo el mundo, tout le monde, comes scampering, skip- 
ping and screaming, nerves a-tingle, loins aflame, ready for any- 
thing, all you have got, laughs, tears, moans, giddy thrills, gasps, 
horrors, whatever, the gorier the merrier.” 

In the 21st Century, Mr. Chairman, we now face the prospect of 
a world in which all of us — not just Sherman McCoy’s caught in the 
midst of scandal — will be forced to live without a private self: with 
the entire “village” able to obtain access to some of the most per- 
sonal aspects of our lives. 

In the emerging surveillance society of the 21st Century, the 
Bororo Indians seeking to inhabit our private selves are the data 
mining and information brokerage firms. These companies are col- 
lecting and selling a vast array of personal information about the 
American public. For a fee, these companies will tell you someone’s 
Social Security number, their address, phone number, driver’s li- 
cense number, driving record, any criminal record information, 
court records, insurance claims, divorce records, and even credit 
and financial information. 

Recent press reports have chronicled the adverse privacy con- 
sequences of this phenomenon. As we have seen company after 
company acknowledging that the security and confidentiality of the 
personal information it holds about American citizens has been 
compromised. Each week the list of companies who have suffered 
data security breaches or acknowledged lax practices with respect 
to access to sensitive personal data has grown longer and longer. 

I have introduced three bills aimed at addressing the current 
threats to personal privacy. My first bill, the Information Protec- 
tion and Security Act, would subject information brokers to regula- 
tion by the Federal Trade Commission, and specifically to a set of 
new, fair information practice rules that the FTC would be re- 
quired to issue within 6 months of enactment. 

The FTC rules would address the security of information held by 
information brokers, the right of consumers to obtain access to in- 
correct information held by the broker, the responsibility of the 
broker to protect the information from unauthorized users or from 
users seeking the information for impermissible and unlawful pur- 
poses. The bill also provides the enforcement of the bill’s sub- 
stantive provisions by the FTC, the State Attorney General, and a 
private right of action. 

My second bill would generally restrict the purchase and sale of 
Social Security numbers. And my third bill would allow consumers 
to block a company from transferring their personal information to 
entities located in countries that fail to provide adequate and en- 
forcement privacy protection. 

In other words, the outsourcing of privacy to countries like India 
and Pakistan that do not have privacy laws in conformance with 
the EU or with the United States of America. Our x-rays should 



7 


not be going to be read in countries that do not have the same pri- 
vacy laws which we have. Our tax records should not be going 
there, our financial records should not be going there, our health 
records should not be going there. These are personal records to go 
to the very identity of us as Americans and as a people. I thank 
you, Mr. Chairman, for having this very important hearing. 

[The prepared statement of Hon. Edward J. Markey follows:] 

Prepahed Statement of Hon. Edward J. Markey, a Representative in 
Congress from the State of Massachusetts 

Thank you, Mr. Chairman. 

In Bonfire of the Vanities, the novelist Tom Wolfe wrote about “The Bororo Indi- 
ans, a primitive jungle tribe who live along the Vermelho River in the Amazon Jun- 
gles of Brazil.” According to Wolfe, the Bororos believed that “there is no such thing 
as a private self.” Instead, they “regard the mind as an open cavity, like a cave or 
a tunnel or an arcade, if you will, in which the entire village dwells and the jungle 
grows.” Wolfe compared this to the situation faced by someone in the middle of a 
public scandal in the last quarter of the 20th century — when, he suggested: 

“. . . one’s self — or what one takes to be one’s self — is not a mere cavity open to 
the outside world but has suddenly become an amusement park to which every- 
body, todo el mundo, tout le monde, comes scampering, skipping and screaming, 
nerves a-tingle, loins aflame, ready for anything, all you’ve got, laughs, tears, 
moans, giddy thrills, gasps, horrors, whatever, the gorier the merrier.” 

In the 21st Century, we now face the prospect of a world in which all of us — not 
just the Sherman McCoy’s caught in the midst scandal — will be forced to live with- 
out a private self — with the entire “village” able to obtain access to some of the most 
personal aspects of our lives. 

In the emerging surveillance society of the 21st Century, the Bororo Indians seek- 
ing to inhabit our private selves are the data mining and information brokerage 
firms. These companies are collecting and selling a vast array of personal informa- 
tion about the American public. For a fee, these companies will tell you someone’s 
Social Security Number, their address, phone number, driver’s license number, driv- 
ing record, any criminal record information, court records, insurance claims, divorce 
records, and even credit and financial information. 

Recent press reports have chronicled the adverse privacy consequences of this 
phenomenon, as we have seen company after company acknowledging that the secu- 
rity and confidentiality of the personal information it holds about American citizens 
has been compromised. Each week, the list of companies who have suffered data se- 
curity breaches, or acknowledged lax practices with respect to access to sensitive 
personal data, has grown longer and longer. 

I have introduced three bills aimed at addressing the current threats to personal 
privacy. My first bill, the “Information Protection and Security Act,” would subject 
information brokers to regulation by the Federal Trade Commission, and specifi- 
cally, to a set of new fair information practice rules that the FTC would be required 
to issue within 6 months of enactment. The FTC rules would address the security 
of information held by information brokers, the right of consumers to obtain access 
to and correct information held by the broker, the responsibility of the broker to pro- 
tect the information from unauthorized users, or from users seeking the information 
for impermissible or unlawful purposes. The bill also provides for enforcement of the 
bill’s substantive provisions by the FTC, the State Attorney’s General, and a private 
right of action. 

My second bill, H.R. 1078, would generally restrict the purchase or sale of Social 
Security numbers, which has become a ubiquitous personal identifier used by cor- 
porations and identity thieves to access sensitive personal information. 

My third bill, H.R. 1653, would allow consumers to block a company from trans- 
ferring their personal information to entities located in countries that fail to provide 
adequate and enforceable privacy protections. 

All three of these bills have been referred to this Subcommittee, and I look for- 
ward to hearing the testimony of the witnesses at this morning’s hearing, and to 
discussing the proposals set forth in these bills with them. 

Mr. Stearns. I thank my colleague for a very thoughtful opening 
statement. And we are going to Mr. Terry. Mr. Terry waives. Ms. 
Gubin. 



8 


Ms. CUBIN. Thank you, Mr. Chairman, and thank you for holding 
this timely hearing. It is especially timely for me. I also want to 
thank the witnesses that are here today who have joined us to help 
us hopefully guide us on shaping future legislation regarding per- 
sonal data security. 

Throughout my tenure on this subcommittee we have continu- 
ously addressed issues regarding privacy protection and the ability 
of third parties to access and distribute personally identifiable in- 
formation. Though there are most certainly valid and necessary 
uses of personal data collection, recent breaches of seemingly se- 
cure data have demonstrated that there are just as many opportu- 
nities for criminal use of this information. 

Identify theft, as we all know, is a whole new realm of crime, and 
America does not currently have the proper legal tools to prevent 
it, rectify it, or mitigate it. ID theft can invade people’s homes, 
bank accounts, financial assets, often undetected. This can be dev- 
astating to victims and Congress must determine the best course 
of action to help this from happening. 

As I said, I think this hearing is timely because just on Monday 
of this week I was notified that I was one of over 96,000 people in 
one incident and one of 1.4 million people in another affected by 
an identity theft incident. According to a letter that I received from 
the companies to notify me of this breach, stolen personal informa- 
tion included bank account numbers and driver’s license numbers 
and other information that’s provided on checks. While I was lucky 
enough I think — I am not sure at this point — that my Social Secu- 
rity number wasn’t stolen and that my address wasn’t stolen, mil- 
lions of Americans aren’t that lucky — if you want to call my situa- 
tion lucky. 

Financial institutions whose systems have been breached have 
an immediate responsibility to notify victims as well as to provide 
an explanation of the breach of the security system, which did hap- 
pen with me. Once again I thank — I hope that I was notified of ev- 
erything. I am hopeful that today’s hearing will outline what other 
further steps must be taken to assist us in identifying victims and 
rectifying fraudulent bank transactions and correcting inaccurate 
file information for future dissemination. 

I hope this subcommittee will continue to examine this issue in 
the light of the need for harsher punishment for both data thieves 
and commercial entities who forfeit personal information, albeit un- 
intentionally. 

I thank the chairman and I yield back the balance of my time. 

[The prepared statement of Hon. Barbara Gubin follows:] 

Prepared Statement of Hon. Barbara Cubin, a Representative in Congress 
FROM THE State of Wyoming 

Thank you, Mr. Chairman, for holding this timely hearing. 

I would also like to thank the witnesses who have joined us here today. As we 
found during the previous hearing, the current laws governing data security are 
ve^ complex. I anticipate an open dialogue with the panel of witnesses to help 
guide Members of the Subcommittee in shaping future legislation regarding per- 
sonal data security. 

Throughout my tenure on this subcommittee, we have continuously addressed 
issues relating to privacy protection and the ability of third parties to access and 
distribute personally identifiable information. Though there are most certainly valid 
and necessary uses of personal data collection, recent breaches of seemingly secure 



9 


data have demonstrated that there are just as many opportunities for criminal use 
of this information. Identity theft is a whole new realm of crime, and America does 
not currently have the proper legal tools to prevent, rectify or mitigate it. ID theft 
can invade people’s homes, bank accounts, and financial assets, often undetected. 
This can be devastating to victims, and Congress must determine the best course 
of action to halt this crime. 

I myself have just recently been notified that I was a one of over 1.4 million peo- 
ple affected by the DSW identity theft incident. According to the letter DSW sent 
to notify me of this breach, stolen personal information included bank account and 
drivers license numbers provided on checks. While the stolen information did not 
include names, addresses, or Social Security numbers, millions of Americans af- 
fected in other data theft incidents have not been so lucky. It is crucial we call at- 
tention to the need for consumers to have proper recourse. Financial institutions 
whose systems have been breached have an immediate responsibility to notify vic- 
tims, as well as provide an explanation of the nature of the system’s breach. I am 
hopeful today’s hearing will outline what further steps must be taken to assist iden- 
tity theft victims in rectifying fraudulent bank transactions and correcting inac- 
curate file information for future dissemination. 

I hope the subcommittee will continue to examine this issue in light of the need 
for harsher punishment for both data thieves and the commercial entities who for- 
feit personal information, albeit unintentionally. I thank the chairman, and I yield 
back the balance of my time. 

Mr. Stearns. I thank the gentlelady, and it is very appropriate 
that you bring to our attention that letter. And I thank you very 
much, and I think that lends credence to why we are attempting 
to grapple with this problem to come up with a solution. Mr. 
Radanovich? The gentleman waives. Ms. Myrick? 

Ms. Myrick. I waive also. 

Mr. Stearns. Okay. I think everybody has completed their op- 
portunity for an opening statement. We move now to our witness 
list. And we welcome them. Before I start, Mr. Ross would like to 
make an introduction. Mr. Ross. 

Mr. Ross. Thank you, Mr. Chairman and Ranking Member 
Schakowsky for having this important hearing today to address the 
issue of protecting consumers’ data. I am pleased that we have Jen- 
nifer Barrett to testify from Acxiom, which is located in my home 
State of Arkansas. 

Since it was founded in 1969, Acxiom has used technology and 
consumer data to help some of the largest, most respected compa- 
nies in the world improve their business results. Acxiom is based 
in Little Rock, Arkansas and employs more than 6,300 people in 
eight countries with an annual revenue of about $1.2 billion. 

Jennifer Barrett is the chief privacy officer of Acxiom Corpora- 
tion and is one of the world’s leading authorities on information 
practices and policies and their impact on consumers, commerce, 
and the global economy. Jennifer has been with Acxiom almost 
since its inception after earning a degree in computer science and 
mathematics from the University of Texas, which those of us in Ar- 
kansas do not hold against her. She has worked at almost every 
facet of the company. In the early 1990’s she became one of the 
first executives in any industry to become what is now commonly 
referred to as a chief privacy officer, assigned to help her company 
and its clients achieve the critical balance of protecting consumer 
privacy while preserving the benefits of this new information age. 
Jennifer is now sought out by leading companies, international 
business leaders, lawmakers, regulators, and many others for her 
counsel and views on the responsible uses of data. She has ap- 
peared many times before committees and forums here in Wash- 



10 


ington, and we appreciate her again offering her insights to us 
today. So I would like to thank you, and I look forward to the testi- 
mony from Mrs. Barrett as well as the other witnesses on the panel 
today and the questions from the members here as well. 

Mr. Stearns. I thank my colleague. 

[Additional statements submitted for the record follow:] 

Prepared Statement of Hon. George Radanovich, a Representative in 
Congress from the State of California 

Mr. Chairman, I would like to thank you for holding this important hearing today 
on securing consumers’ data. 

With recent reports from the Federal Trade Commission’s study survey indicating 
that over 10 million people were victims of identity theft during a one year period 
and estimates that translate into $48 billion loss for businesses and $5 billion loss 
for consumers, I believe it is evident that the time is right for Congress to determine 
what needs to be done to protect our constituents from these thieves. 

I am happy to report that California has been one of the most active state govern- 
ments in regulation data security. In 2002 California passed a consumer security 
breach notification law that requires any state agency, or any person or business 
that owns or licenses computerized data that includes personal information to dis- 
close any breach of security of the data to any resident of that state whose 
unencrypted information was, or is reasonably believed to have been, acquired by 
an unauthorized person. In addition to California I would like to commend the 
states of Georgia, Texas and Illinois who are considering similar legislation. 

As we hear from our witnesses today it is important to determine if the current 
federal laws are sufficient to protect the data security of consumer’s and if tech- 
nologies exist that could aid in protecting sensitive consumer data and prevent un- 
authorized access to computerized databases. 

Recent reports of data security breaches by data brokers, financial institutions, 
and retailers have raised questions about the sufficiency of current laws to protect 
consumer information from identity theft. 

During the Subcommittee’s March hearing on issues related to the Choicepoint 
breach, the FTC testified that the results of a recent FTC study indicated that over 
10 million people were victims of identity theft during the one year period the 
study’s survey covered. The FTC estimates that the losses translate into $48 billion 
for businesses and $5 billion to consumers. 

While there are Federal laws that provide standards for disclosure of consumer 
information and require certain entities to take steps to safeguard consumer infor- 
mation, there is NO comprehensive Federal law dealing with data security that gov- 
erns ALL uses of consumer data. There are two main bodies of Federal law that 
deal with privacy and data security related to certain types of entities and certain 
uses of information: The Fair Credit Reporting Act and the Gramm-leach Bliley Act; 
however the universe of entities to which these bodies of law apply is limited. 

Several other states have passed or are considering similar legislation, including 
GA, TX, and II. A number of federal bills introduced in this Congress are modeled 
after the CA statute. 

The social security number was created to identify each U.S. citizen for the sole 
purpose of tracking employment and benefits however, over time our social security 
number has been used by both public and private entities for purposes both related 
and unrelated to the social security program. The usage of this unique identifier has 
benefited both businesses and consumers, but unfortunately it has led to misuse and 
most importantly identity theft. 

The FTC has reported that over 10 million people were victims of identity theft 
in one year and they estimate that this translates into upwards of a $48 billion loss 
for businesses and $5 billion loss for consumers, but a price tag can not be put on 
the loss of one’s identity. 

I look for to hearing our witness’ testimony today. Hopefully this will help us de- 
termine if our current laws are adequate enough to protect the integrity of our so- 
cial security numbers and if not, what we need to do to protect them. 


Prepared Statement of Hon. Joe Barton, Chairman, Committee on Energy 

AND Commerce 

Thank you Mr. Chairman for holding this hearing today. I have spent consider- 
able time focusing on information security issues such as the spyware legislation 



11 


that this Committee passed unanimously. I’m confident that that bill will be re- 
ceived favorably by the full House as well. Our Committee’s work on these issues 
will continue in earnest, particularly in light of the alarming and ever-growing list 
of data security breaches recently. 

Nothing seems safe. In recent months, we have learned about the loss of person- 
ally identifiable information — even including Social Security numbers — from 
ChoicePoint, LexisNexis, Blockbuster, as well as a company called RuffaloCODY 
that manages information systems for a number of colleges and universities. Most 
recently, data tapes belonging to Time Warner were stolen from a storage company 
called Iron Mountain — a company, I might add, that also stores some sensitive infor- 
mation for the Congress. I suspect that there are more thefts of this nature about 
which we have not yet learned. 

This is simply unacceptable. 

In the Internet age, personal information can be accessed in any number of ways 
and from any number of outlets. To not guard it closely is to open the door to 
thieves. Sensitive personal information must be secure, and companies that legally 
gather and distribute this information need to be held accountable if they do not 
take reasonable steps to ensure that security. 

The recent breaches have focused our attention on “data brokers’” who compile 
public and non-public information in ways that seem downright Orwellian. They can 
share it, rent it, and sell it. Constraints on these companies and their practices are 
few and thin. Some of these companies provide an important service for individuals 
trying to protect their families or investments, as well as for the government trying 
to protect us all. It is essential that only those who have an appropriate, legitimate 
reason for having access to such information are allowed to view it. Those who pro- 
vide this access must be responsible for verifying both the legitimacy of the business 
or person inquiring, as well as the appropriateness of their reason for doing so. Of 
course, other entities such as credit card companies, department stores — even the 
video store, as I mentioned — have sensitive information as well. They must be simi- 
larly responsible with the data, and take vigorous steps to protect it. 

Congress has not laid out a comprehensive framework for data security and data 
brokers, and it is clear that we need to act. This Committee must take the lead in 
developing appropriate safeguards for consumer information, and we will proceed to 
that end on a bipartisan basis. I am glad that Chairman Stearns has put together 
a diverse panel to discuss this topic, and to explore options for how we as policy- 
makers can help address the concerns of the American public. 

With that, I would like to welcome the witnesses and thank them for their partici- 
pation. I am very interested to hear what these companies and their industries are 
doing to help prevent identity theft, and the misuse of personal information in gen- 
eral. 

Thank you, and I yield back the balance of my time. 


Prepared Statement of Hon. Ed Towns, a Representative in Congress from 
THE State of New York 

Thank you Mr. Chairman for holding this important hearing. Since we last met, 
the privacy of our constituents has been compromised further and their worries 
have increased ten-fold. I was encouraged by the feedback that we received in our 
hearing this past March, but there is much more work to be done. 

I was pleased to learn that banks and credit card companies are detecting fraud 
at a quicker rate and successfully shutting down information-sharing websites be- 
fore identity theft becomes more rampant and uncontrollable. While I understand 
that stolen or lost credit cards still account for the largest losses to consumers, the 
danger these on-line thieves pose must be confronted and dealt with. 

According to an article in Monday’s Wall Street Journal, the Anti-Phishing Work- 
ing Group says 2,870 active phishing sites were reported in March alone, and that 
since last July such sites have increased 28% a month. The article goes on to state 
that about 980,000 American consumers had encountered identity-theft fraud via 
phishing in the prior year, costing banks and credit card issuers more than $1.2 bil- 
lion in direct losses. 

I have had a long-standing interest in protecting consumers’ privacy. I first began 
advocating for safeguarding medical records when I found my own records in a pub- 
lic trash bin following a doctor’s appointment. In response, I introduced a bill pro- 
tecting the privacy rights of insurance claimants, which became part of HIPPA. 

Since last Congress, I have been working with my colleague. Congresswoman 
Mary Bono to protect consumers’ privacy on the internet from Spyware. Our com- 



12 


mittee passed this bill last week and I am hopeful that we can send it to the Presi- 
dent’s desk before the end of this year. 

I look forward to hearing from our witnesses about what went wrong in these re- 
cent cases and how we can better protect consumers. 

Thank you Mr. Chairman. I 3deld back the balance of my time. 

Mr. Stearns. We want to welcome Ms. Barrett of Acxiom Cor- 
poration; also Mr. Steve Buege, Senior Vice President of Business 
Information, News and Public Records, North American Legal; 
Thomson West; Mr. Oliver Ireland, Partner, Financial Services 
Practice Group, Morrison and Foerster; on behalf of Visa U.S.A., 
Mr. Daniel Burton, Vice President of Government Affairs, Entrust, 
Incorporated, McLean, Virginia; and Mr. Daniel Solove, Associate 
Professor of Law at George Washington University Law School. I 
thank all of you for attending this morning. And, Ms. Barrett, we 
will start with you for your opening statement. 

STATEMENTS OF JENNIFER BARRETT, CHIEF PRIVACY OFFI- 
CER, ACXIOM CORPORATION; STEVE BUEGE, SENIOR VICE 
PRESIDENT, BUSINESS INFORMATION, NEWS AND PUBLIC 
RECORDS, NORTH AMERICAN LEGAL; OLIVER I. IRELAND, 
PARTNER, FINANCIAL SERVICES PRACTICE GROUP, MORRI- 
SON AND FOERSTER, LLP, ON BEHALF OF VISA USA; DANIEL 
BURTON, VICE PRESIDENT OF GOVERNMENT AFFAIRS, EN- 
TRUST, INC.; AND DANIEL J. SOLOVE, ASSOCIATE PRO- 
FESSOR OF LAW, GEORGE WASHINGTON UNIVERSITY LAW 
SCHOOL 

Ms. Barrett. Thank you. Chairman Stearns, Ranking Member 
Schakowsky, Congressman Ross, and distinguished members of 
this committee. I thank you for the opportunity for Acxiom to par- 
ticipate in this hearing, and I ask for unanimous consent that my 
written statement be entered in the record. 

Mr. Stearns. By unanimous consent, so ordered. 

Ms. Barrett. Mr. Chairman, let me be blunt. The bad guys are 
smart and they are getting better organized in using their skills to 
intelligently but illegally and fraudulently access personal informa- 
tion. Acxiom must therefore remain more vigilant and innovative 
by constantly improving, auditing, and testing our systems, and 
yes, even learning from the security breaches in the marketplace. 

Information is an integral part of the American economy, and 
Acxiom recognizes its responsibility to safeguard the personal infor- 
mation it collects and brings to the market. As FTC Chairman 
Majoras recently stated in her testimony both before the Senate 
and the House, “There is no such thing as perfect security.” And 
breaches can happen even when a company has taken every rea- 
sonable precaution. Although we believe this to be true, no one has 
a greater interest than Acxiom in protecting its information be- 
cause our very existence depends on it. 

Acxiom’s U.S. business includes two distinct components: our 
customized computer services and a line of information products. 
Our computer services, which represent more than 80 percent of 
the company’s business, help businesses, not-for-profit organiza- 
tions, political parties, and government manage their own informa- 
tion. Less than 20 percent of our business comes from our four 
lines of products involving information — our fraud management 
products, our background screening products, our directory prod- 



13 


ucts, and our marketing products. Our fraud management and 
background screening products are the only Acxiom products con- 
taining sensitive information, and they represent less than 10 per- 
cent of our business. 

Acxiom would like to take this opportunity to set the record 
straight in response to a couple of misunderstandings that have de- 
veloped about the company. First, Acxiom does not maintain one 
big data base containing dossiers on anyone. Instead, we build and 
maintain discrete, segregated data bases for each and every prod- 
uct. 

Second, Acxiom does not co-mingle client information that comes 
from the services we provide to our clients with their information 
products, which we are responsible for. Such activity would con- 
stitute a violation of our contracts and consumer privacy. 

Third, Acxiom’s fraud management products are sold only to a 
handful of large companies and government agencies who have a 
legitimate need for them. The information utilized in these prod- 
ucts is covered under the safeguards and use rules of the Gramm- 
Leach-Bliley Act and both State and Federal driver privacy protec- 
tion laws. 

Fourth, Acxiom’s fraud management verification services only 
validate information already in our client’s possession. Access to 
additional information is available only to law enforcement and the 
internal fraud departments of large financial institutions and in- 
surance companies. 

Fifth, our background screening products are covered under the 
Fair Credit Reporting Act, and we do not pre-aggregate information 
provided in these services. 

Beyond these protections, the following additional safeguards 
exist: first, because public record information is blended with regu- 
lated information in both our fraud management and our back- 
ground screening products, Acxiom voluntarily applies the more 
stringent security standards to all such blended data, even though 
not required to by law. Since 1997 Acxiom has posted a privacy pol- 
icy on our website describing both our online and all our offline 
practices, thus voluntarily subjecting the company to the FTC rules 
governing unfair or deceptive practices. Third, the company has im- 
posed our own internal, more restrictive guidelines for use of sen- 
sitive information such as Social Security numbers. And fourth, all 
of Acxiom’s information products and practices have been audited 
on an annual basis since 1997, and our security policies are regu- 
larly audited both by ourselves, as well as by many of our clients. 

Two years ago Acxiom experienced a security breach on one of 
the external file transfer servers used to transfer information back 
and forth between Acxiom and our clients. Fortunately, the vast 
majority of the information involved was of a non-sensitive nature, 
and law enforcement was able to apprehend the suspects and as- 
certain that none of the information was used to commit identity 
fraud. Since then, Acxiom has put in place even greater protections 
for the benefit of both consumers and our clients. 

In conclusion, I would like to say that ongoing privacy concerns 
indicate the adoption of additional legislation may be appropriate. 
Acxiom supports efforts to pass federally preemptive legislation re- 
quiring notice to consumers in the event of a security breach, which 



14 


places the consumer at risk of identity fraud. Acxiom also supports 
the recent proposal from FTC Chairman Majoras for the extension 
of the GLBA Safeguards Rule. 

Mr. Chairman, on behalf of Acxiom I want to express our grati- 
tude for the opportunity to participate, and we will be happy to an- 
swer any questions the committee may have. 

[The prepared statement of Jennifer Barrett follows:] 

Prepared Statement of Jennifer Barrett, Chief Privacy Officer, Acxiom 

Corporation 

introduction 

Chairman Stearns, Ranking Member Schakowsky and distinguished Members of 
the Committee, thank you taking the time to hold this hearing on consumer data 
and options following security breaches. Acxiom appreciates the opportunity to par- 
ticipate in today’s hearing. 

Acxiom has an inherent responsibility to safeguard the personal information we 
collect and bring to the market, and we have focused on assuring the appropriate 
use of these products and providing a safe environment for this information since 
1991 when the company brought its first information products to market. 

It is important that we all recognize that information has become an ever growing 
and ever more integral part of the American economy. Information is the facilitator 
of convenience, competition and provides the tools that reduce fraud and terrorism. 
As such, we believe that it is Acxiom’s obligation to provide effective safeguards to 
protect the information we bring to market regardless of the difficulties encountered 
in doing so. 

Let me be blunt. The bad guys are smart and getting more organized. They will 
use all of the skills available to them to try to find ways to obtain the information 
they need to commit fraud. Acxiom must therefore remain vigilant and innovative, 
and that is why we employ a world-class information security staff to help us fend 
off criminals who attempt to access Acxiom’s data. Acxiom is constantly improving, 
auditing and testing its systems. Yes, Acxiom is even learning from security 
breaches when they occur, and we are certain that other responsible companies are 
doing so as well. 

As Chairman Deborah Majoras of the Federal Trade Commission recently stated 
in her testimony before the Senate, “[T]here is no such thing as perfect security, 
and breaches can happen even when a company has taken every reasonable pre- 
caution.” Even though we believe that this is true, no one has a greater interest 
than Acxiom in protecting information because the company’s very existence de- 
pends on securing personal information pertaining to consumers. 

In order to enjoy the benefits provided by a robust information-based economy and 
also to keep our citizens safe from fraudulent activity, there are no quick fixes or 
easy solutions. We believe that it is necessary that cooperation exists among policy 
makers, information service providers, Acxiom’s clients, law enforcement and con- 
sumers. We applaud your interest in exploring these issues and we very much want 
to be a resource in helping you achieve the proper legislative balance we all seek. 

about acxiom corporation 

Founded in 1969, Acxiom is headquartered in Little Rock, Arkansas, with oper- 
ations throughout the United States, and with processing centers in Arkansas, Illi- 
nois, Arizona, Ohio and California. The company also has offices in nine other coun- 
tries across Europe and Asia. From a small company in Arkansas, Acxiom Corpora- 
tion has grown into a publicly traded corporation with more than 6,000 employees 
worldwide 

Acxiom’s U.S. business includes two distinct components: customized computer 
services and a line of information products. Acxiom’s computer services represent 
the vast majority of the company’s business and they include a wide array of leading 
technologies and specialized computer services focused on helping clients manage 
their own customer information. These services are offered exclusively to large busi- 
nesses, not-for-profit organizations, political parties and candidates, and government 
agencies. Acxiom’s private sector computer services clients represent a “who’s who” 
of America’s leading companies. Acxiom helps these clients improve the loyalty of 
their customers and increase their market share, while reducing risk and assisting 
them with their compliance responsibilities under state and federal law. Finally, 



15 


Acxiom helps government agencies improve the accuracy of the personal information 
they currently hold. 

The balance of Acxiom’s business comes from information products that are com- 
prised of four categories: fraud management products, background screening prod- 
ucts, directory products and marketing products. These four product lines represent 
less than 20 percent of the company’s total business and the fraud management and 
background screening products represent less than 10 percent. While each product 
plays a unique role, all of Acxiom’s information products help fill an important gap 
in today’s business-to-consumer relationship. 

To understand the critical role Acxiom plays in facilitating the nation’s economy 
and safeguarding consumers, it is important to understand what the company does 
not do. Over the years, a number of myths have developed about Acxiom that re- 
quire clarification. Please allow us to set the record straight: 

• Acxiom does not maintain one big database that contains detailed information 

about all individuals. Instead, the company safeguards discrete databases devel- 
oped and tailored to meet the specific needs of Acxiom’s clients — entities that 
are appropriately screened and with whom Acxiom has legally enforceable con- 
tractual commitments. I cannot call up from the company’s databases a detailed 
dossier on myself or any individual. 

• Acxiom does not provide information on particular individuals to the public, with 

the exception of Acxiom’s telephone directory products. These products, which 
are available on several Internet search engines, contain information already 
available to the public. The other information Acxiom processes is provided only 
to legitimate businesses for specific legitimate business purposes. 

• Acxiom’s does not have any information in either its directory or marketing prod- 

ucts which could be used to commit identity fraud. Acxiom also does not include 
detailed or specific transaction-related information, such as what purchases an 
individual made on the Internet or what websites they visited. The company’s 
directory products include only name, address and telephone information. The 
company’s marketing products include only information that is general in na- 
ture and not specific to an individual purchase or transaction. 

• Acxiom does not commingle client information that the company processes in its 

computer services business with any of our information products. Such activity 
would constitute a violation of the company’s services contracts with those cli- 
ents and a violation of consumer privacy. A client for whom the company per- 
forms services may have a different agreement with us as a data contributor, 
but these two relationships are kept entirely separate. 

Acxiom’s fraud management products are sold exclusively to a handful of large 
companies and government agencies — they are not sold to individuals. The com- 
pany’s verification services only validate that the information our client has ob- 
tained from the consumer is correct. Only law enforcement, government agencies 
and the internal fraud departments of large financial institutions and insurance 
companies have access to additional information. 

Acxiom’s background screening products provide employment and tenant screen- 
ing services which utilize field researchers who do in-person, real-time research 
against public records and make calls to past employers to verify the information 
provided by the consumer. Where permitted by law, a pre-employment credit report 
can also be obtained. Acxiom does not pre-aggregate information for these products. 

Acxiom’s directory information products contain only contact information on con- 
sumers such as name, address and telephone number. They are collected so busi- 
nesses and consumers can locate other businesses or consumers. They are compiled 
from the white and yellow pages of published U.S. and Canadian telephone direc- 
tories and from information available from the various directory assistance services 
provided by the telephone companies. 

Acxiom’s marketing information products provide demographic, lifestyle and inter- 
est information to companies to reach prospective new customers who are most like- 
ly to have an interest in their products and to better understand and serve the 
needs of existing customers. They are compiled from pubic records, surveys and 
summarized customer information primarily from publishers and catalogers. 

RESPECTING AND PROTECTING CONSUMERS’ PRIVACY 

Acxiom has a longstanding tradition and engrained culture of protecting and re- 
specting consumer interests in our business. The company is today, and always has 
been, a leader in developing self-regulatory guidelines and in establishing security 
policies and privacy practices. There are, as explained below, numerous laws and 
regulations that govern our business. Ultimately, however, Acxiom’s own com- 



16 


prehensive approach to information use and security goes far beyond what is re- 
quired by either law or self-regulation. 

Safeguards Applicable to Products Involving the Transfer of Sensitive Information 

Only Acxiom’s fraud management and background screening products involve the 
transfer of sensitive information. These products, therefore, are subject to law, regu- 
lations and our own company policies that help protect against identity fraud. These 
legal protections and additional safeguards are addressed below: 

GLBA, DPPAs, and FTC: Our fraud management products utilize information cov- 
ered under the Gramm-Leach-Bliley Act (GLBA), and driver’s license informa- 
tion covered under both state and federal driver’s privacy protection acts 
(DPPAs). These obligations include honoring GLBA and DPPA notice and choice 
related to sharing and use of the information, the GLBA Safeguard Rules and 
FTC Privacy Rule and Interagency Guidelines. Any uses of data must fall with- 
in one of the permitted uses or exceptions specified in these laws. 

FCRA and FACTA: Our background screening products are covered by all of the 
regulations and consumer protections established by the Fair Credit Reporting 
Act (FCRA) and the Fair and Accurate Credit Transactions Act (FACTA). These 
protections include: the requirement that a consumer authorize the creation of 
employment reports; notice of adverse actions taken based on such report; and 
the right of consumers to obtain a copy of such reports and to dispute inaccura- 
cies. Finally, such regulations require that re-verification or correction of dis- 
puted information be performed in a timely manner. 

Safeguarding Public Record Information: Public records are used in both 
Acxiom’s fraud management and background screening products. Although a height- 
ened level of protection is not mandated for such public record information, by vir- 
tue of the fact that such public information is blended with regulated information, 
Acxiom voluntarily chooses to apply the more stringent standards of the above-men- 
tioned regulations to the resulting products. 

Safeguards Applicable to Other Products 

Although Acxiom’s directory and marketing products do not contain any sensitive 
information that could put a consumer at risk for identity fraud, Acxiom is still sub- 
ject to the following critical safeguards: various industry guidelines, compliance with 
all requirements in the original notice to consumers at the time the data was col- 
lected, and voluntary compliance with those laws to which our clients themselves 
are subject. 

Telephone Directory Safeguards: Acxiom’s directory products comply with all 
applicable policies regarding unpublished and unlisted telephone numbers and 
addresses. In addition, because Acxiom recognizes that consumers may object 
to published listings being available on the Internet, Acxiom itself offers an opt- 
out from such use. Further, Acxiom voluntarily suppresses all telephone num- 
bers found on the Federal Trade Commission’s Do-Not-Call Registry and the 
eleven other state Do-Not-Call registries, when providing phone numbers for 
targeted telemarketing purposes. 

Marketing Product Safeguards: Acxiom’s marketing products comply with all the 
self-regulatory guidelines issued by the Direct Marketing Association. These re- 
quirements include notice and the opportunity to opt-out. Consumers have the 
ability to opt-out from Acxiom’s marketing products by calling the company’s 
toll-free Consumer Hotline, accessing its Website, or by writing to the company. 
Since Acxiom does not have a customer relationship with individual consumers, 
Acxiom coordinates with its industry clients to research and resolve consumer 
inquiries. 

Additional Safeguards 

Acxiom takes seriously its responsibility to assure that all the information we 
bring to market is appropriate for the use to which it is intended and to provide 
adequate safeguards specifically aimed at protecting against unauthorized use. 
Privacy Policy/FTC Jurisdiction: Since 1997, long before it was a common prac- 
tice, Acxiom has posted its privacy policy on the company’s website. The privacy 
policy describes both Acxiom’s online and offline consumer information products. 
The policy further describes: what data Acxiom collects for these products; how 
such data is used; the types of clients to which such data is licensed; as well 
as the choices available to consumers as to how such data is used. By making 
these extensive disclosures, Acxiom has voluntarily subjected itself to Section 5 
of the Federal Trade Commission Act, which prohibits unfair or deceptive con- 
duct in the course of trade or commerce, as well as various state statutes gov- 
erning unfair and deceptive acts and practices. 



17 


Consumer Care Department/Consumer Hotline: Acxiom maintains a Consumer 
Care Department led by a Consumer Advocate whose team interacted with 
more than 50,000 consumers in the past 12 months by way of answering ques- 
tions, resolving issues, processing opt-outs, and handling requests for access to 
Acxiom’s fraud management, background screening, directory and marketing 
products. Acxiom provides consumers who contact the company (through the 
company website, or by calling a toll-free Consumer Hotline or by writing to the 
company) the options of: opting-out of all of Acxiom’s marketing products; re- 
ceiving an information report from the company’s fraud management and direc- 
tory products; or receiving a consumer report as specified in the FCRA from the 
company’s background screening products. Acxiom encourages consumers to no- 
tify the company if the information in any of these reports is inaccurate and 
it is the company’s policy either to correct the information, to delete it or to 
refer the consumer to the appropriate source to obtain the requested correction, 
such as a county or state agency. 

Certification and Compliance with Federal and State Law: Acxiom’s privacy 
policy is designed to adhere to all Federal, State, and local laws and regulations 
on the use of personal information. The company is also certified under the De- 
partment of Commerce’s European Union Safe Harbor and the Better Business 
Bureau’s Online Seal. 

Consumer Education: Acxiom believes that consumers should be educated about 
how businesses use information. To that end, Acxiom publishes a booklet, enti- 
tled “Protecting Your Privacy in the Information Age — What Every Consumer 
Should Know About the Use of Individual Information,” which is available for 
free both on the company’s website and upon written or telephone request. 
Voluntary Acxiom Policies: Above and beyond the industry-accepted guidelines 
with which Acxiom complies, Acxiom also has established its own internal 
guidelines, which are more restrictive than industry standards. For example, 
Acxiom only collects the specific information required to meet its clients’ infor- 
mation needs, and the company properly disposes of the remaining data, when 
information is compiled from public records. Acxiom has also implemented spe- 
cific guidelines regarding the use and protection of information that could be 
involved in identity fraud, such as Social Security numbers. 

Information Practice and Security Audits: Acxiom has had a longstanding focus 
on the appropriate use of information in developing and delivering its informa- 
tion products. While the creation of strong information use policies is a business 
imperative, assuring these policies are followed is equally important. To this 
end, all of Acxiom’s information products and practices have been internally and 
externally audited on an annual basis since 1997. 

Since many of Acxiom’s computer service clients are financial institutions and 
insurance agencies, Acxiom has been regularly audited for many years by these 
clients. Furthermore, Acxiom must honor the safeguards and security policies 
of the company’s clients. Since Acxiom’s security program is enterprise-wide, it 
is the company’s policy to institute these high levels of protection across all 
lines of business. These client audits, along with Acxiom’s own internal security 
audits, provide Acxiom with regular and valuable feedback on ways to stay 
ahead of hackers and fraudsters who may attempt to gain unauthorized access 
to Acxiom’s systems. 

Lessons Learned 

Two years ago, Acxiom experienced a security breach on one of the company’s ex- 
ternal file transfer servers. The hackers were employees of an Acxiom client and a 
client’s contractor. As users with legitimate access to the server, the hackers had 
received authority to transfer and receive their own files. The hackers did not pene- 
trate the firewalls to Acxiom’s main system. They did, however, exceed their author- 
ity when they accessed an encrypted password file on the server and successfully 
unencrypted about 10 percent of the passwords, which allowed them to gain access 
to other client files on the server. Fortunately, the vast majority of the information 
involved in this incident was of a non-sensitive nature. 

Upon learning of the initial breach from law enforcement, Acxiom immediately no- 
tified all affected clients and, upon further forensic investigation, the company in- 
formed law enforcement regarding a second suspected security incident. Fortu- 
nately, in both instances, law enforcement was able to apprehend the suspects, re- 
cover the affected information and ascertain that none of the information was used 
to commit identity fraud. One of the hackers pled guilty and was recently sentenced 
to 48 months in federal prison. The other is currently awaiting trial. 

As a result of the breach, Acxiom cooperated with audits conducted by dozens of 
its clients, and both the Federal Trade Commission and the Office of the Comp- 



18 


troller of the Currency examined Acxiom’s processes to ensure that the company 
was in compliance with all applicable laws and its own stated policies. 

This experience taught Acxiom additional valuable lessons regarding the protec- 
tion of information. For example, Acxiom now requires the use of more secure pass- 
words on the affected server. The process for transferring files has been changed, 
specifically by keeping information on the server for much shorter periods of time. 
And while it was always a recommended internal policy, Acxiom now requires that 
all sensitive information passed across such servers be encrypted. In addition, while 
Acxiom has had in place a Security Oversight Committee for many years, the com- 
pany has also now appointed a Chief Security Officer with more than 20 years of 
IT experience. In short, Acxiom’s systems are more secure today as a result of the 
company’s experience and dedication to the privacy of consumers. 

The Need For Additional Legislative Safeguards 
There has been much discussion, especially in recent weeks, about whether exist- 
ing federal law sufficiently protects consumers from harm. In this regard, Acxiom 
does believe that additional, appropriately tailored legislation would assist Acxiom, 
the rest of the information services industry and businesses in general in ensuring 
that consumers are protected from fraud and identity theft. But, as FTC Chairman 
Majoras has said, even the best security systems imaginable and the strongest laws 
possible can nonetheless be circumvented by inventive criminals’ intent on commit- 
ting fraud. 

Breach Notification: Acxiom supports efforts to pass federal preemptive legisla- 
tion requiring notice to consumers in the event of a security breach, where such 
breach places consumers at risk of identity theft or fraud. California imple- 
mented similar legislation several years ago, and over thirty other states are 
involved in passing similar laws. The bottom line is that consumers deserve a 
nationwide mandate that requires that they be notified when they are at risk 
of identity theft, so they can take appropriate steps to protect themselves. 
Extension of the GLBA Safeguards Rule: Currently, Acxiom voluntarily subjects 
itself to the GLBA Safeguards Rule with respect to the company’s computer 
services and information products. Acxiom also complies with the California 
safeguards law (AB 1950). FTC Chairman Majoras recently has proposed an ex- 
tension of the GLBA Safeguards Rule to the information services industry as 
a whole. Acxiom supports her recommendation. 

Mr. Chairman, Acxiom appreciates the opportunity to participate in this hearing 
and to assist Congress in identifying how best to safeguard the nation’s information 
and data. Acxiom is available to provide any additional information the Committee 
may request. 

Mr. Stearns. I thank you. Our next witness is Mr. Buege. Wel- 
come. 


STATEMENT OF STEVEN BUEGE 

Mr. Buege. Chairman Stearns, Congresswoman Schakowsky, 
members of this distinguished committee, thank you for allowing 
West to present testimony before this hearing of the Subcommittee 
on Commerce, Trade, and Consumer Protection. I commend you for 
continuing its tradition of ardent and principled investigation and 
legislative oversight of so many of the issues that touch each of us 
every day. 

My name is Steve Buege. I am senior vice president of Business 
Information, News, and Public Records for West. I oversee this con- 
tent on Westlaw. I have worked for West nearly 20 years, most re- 
cently as head of operations, and prior to that as chief technology 
officer. I am proud to be associated with West and of West’s record 
in the data privacy arena. 

West has served the same niche customer base, legal and govern- 
ment professionals, for over 125 years and throughout our trans- 
formation from being a traditional law book publisher to a leader 
in information technology. In 1975 West introduced its first online 



19 


legal research service, Westlaw, and we have been a pioneer in e- 
commerce ever since. 

According to our research, the total U.S. public records market 
represents about $7 billion annually. Of that, $1 billion is focused 
on the crime, law enforcement, prosecution area. About $160 mil- 
lion of that is in the legal market. For our business, data bases 
with full SSNs account for only a fraction of 1 percent of our rev- 
enue. 

West’s customers work in law firms, courts, government, and cor- 
porate legal departments. Much of the information they need to do 
their jobs is, by its very nature, sensitive. We are acutely aware of 
this and consider ourselves stewards of data privacy. 

Given the attention this issue has recently received in Wash- 
ington and in the media, we have carefully reviewed and further 
tightened our policies. Throughout this process, our ultimate test 
was to do the right thing. Our record proves that we are on the 
right track. 

Since February, West has removed access to full SSNs from 
about 85 percent of the accounts that had it, and blocked this ac- 
cess entirely to all non-government accounts. Today, the only cus- 
tomers who can access full SSNs are government agencies involved 
in crime prevention, prosecution, and homeland security. Primarily, 
the Federal courts. Department of Justice, and IRS. We also have 
some smaller government accounts all in the areas of law enforce- 
ment and homeland security as well with access to full SSNs. All 
of these accounts are carefully vetted. It is important to note that 
we have never granted ad hoc access to full SSNs and that West 
serves a specialized B to B market of legal and government profes- 
sionals, not a consumer-oriented market. 

West’s policies go well beyond what is required under various 
privacy laws, yet we recognize the need for more clarity and regu- 
latory guidance. We welcome the opportunity to work with you on 
a variety of approaches, including establishing a uniform notifica- 
tion system to inform citizens whose data may have been com- 
promised, charging a government agency with regulatory oversight 
of public data providers similar to the FTC’s role with financial in- 
stitutions, requiring senior management in data companies that 
deal with SSNs to sign off on their companies’ security and privacy 
arrangements, and legislation that would establish a consistent 
method for masking SSNs — for example, always obscuring the last 
four digits. 

Thank you for your interest and your hard work and for allowing 
West to be part of this discussion. I look forward to continuing to 
work with you on this important matter. 

[The prepared statement of Steve Buege follows:] 

Prepared Statement of Steve Buege, Senior Vice President, Business 
Information News and Public Records, on Behalf of West 

INTRODUCTION 

Chairman Stearns, Congresswoman Schakowsky, Members of this distinguished 
Committee: Thank you very much for allowing West the opportunity to present tes- 
timony before this hearing of the Energy and Commerce Committee’s Subcommittee 
on Commerce, Trade, and Consumer Protection. I commend you for continuing the 
Committee’s tradition of ardent and principled investigation and legislative over- 
sight of so many of the issues that touch each of us every day. 



20 


My name is Steve Buege. I’m senior vice president of Business Information News 
and Public Records. In that role for West, I oversee our news, business information 
and public records content on Westlaw, and together with the president and CEO 
of West, I oversee the policies governing procurement of and access to that informa- 
tion. 

Prior to this, I was vice president of Operations for West, where Customer Experi- 
ence, Technology and Content Operations reported into me. Prior to that, I was 
Chief Technology Officer for four years. In my work with the company, spanning 
now some 20 years. I’ve participated in some of its most important transformations. 
I have intimate knowledge of its technology, its business and its values. And I am 
proud of my association with the business. 

ABOUT WEST AND OUR CUSTOMERS 

West has been serving the same niche customer base — exclusively legal and gov- 
ernment professionals — for more than 126 years. Our company founder, John B. 
West, started West Publishing in 1872 as a regional book and office supply seller 
for attorneys in the Midwest. Eventually, West covered judicial opinions from every 
state, circuit and appellate court and the U.S. Supreme Court. 

Our core market has remained legal and government customers for more than a 
century. West maintained this focus on the B2B market while transitioning from 
a traditional legal book publisher to a leader in the information technology revolu- 
tion. In 1975, West introduced its first online legal research service, Westlaw. We’ve 
been a pioneer in e-commerce ever since. We embraced the Internet, and electronic 
publishing is at the heart of our business today. 

The West name — from West Publishing to Westlaw — has long been known as an 
authoritative, trustworthy source for the U.S. bench and bar. This market recog- 
nizes Westlaw as the premier online legal research service; it offers the world’s larg- 
est databases of legal research materials, statutes, case law, legal treatises and 
business information. 

West has been acutely focused on security and privacy issues, especially in the 
last 10 years as access to electronic information has increased significantly. We con- 
sider ourselves stewards of data privacy. West was a founding member of the Indi- 
vidual Reference Services Group (IRSG). The 1997 IRSG Principles defined a bal- 
ance between personal privacy and the important societal benefits of reference serv- 
ices. West used these principles to establish procedures for qualifying its users, with 
only government agencies and a very small number of professional users receiving 
qualified access to hill Social Security numbers. 

Today, West still refers to the IRSG Principles for guidance about our collection 
and distribution of information. For example, although the Gramm-Leach-Bliley 
Act’s privacy rule permits distribution of information — including full Social Security 
numbers — to any entity that fits within the exception to the rule. West limits dis- 
tribution of full Social Security numbers to specific government agencies — going be- 
yond the requirements of GLBA. 

OVERVIEW OF THE PUBLIC RECORDS MARKET 

According to our research, the U.S. public records market represents about $7 bil- 
lion dollars annually. Within this space, $1 billion is focused on the crime/law en- 
forcement/prosecution area; approximately $160 million of that space is focused on 
usage within the legal market. Of this $160 million, only a fraction relates to 
records with full Social Security numbers. For our legal businesses, databases with 
full Social Security numbers only account for a fraction of 1 percent of our revenues. 

It’s important to note that only vetted government customers who deal with law 
enforcement, investigatory or homeland security issues have access to full Social Se- 
curity numbers. None of our corporate clients have this access. 

OUR PRIVACY POLICIES 

West’s customers work in law firms, the courts, government and corporate legal 
departments. Much of the information our customers need to do their jobs and serve 
our legal justice system is, by its very nature, sensitive. 

West has always been a good steward of this sensitive information, and we are 
deeply committed to ensuring that we achieve the proper balance between making 
information available for legitimate business and governmental purposes and re- 
specting people’s expectations of privacy. 

Given the attention this issue has received in Washington and in the media dur- 
ing the past few months, we have carefully reviewed our policies and made signifi- 
cant changes concerning access. Throughout this process, our ultimate test was to 
do the right thing. Our record proves that we’re on the right track. 



21 


Since February, West has reviewed the very small number of customers who had 
access to full Social Security numbers and further restricted which customers are 
allowed such access. We removed access to full Social Security numbers for about 
85 percent of the accounts who had it, and blocked this type of access to all non- 
government accounts. Today, most customers who can access full Social Security 
numbers are government agencies involved in crime prevention, prosecution and 
homeland security — primarily the Federal Courts, the Department of Justice and 
the IRS. We also have some smaller accounts — all in the areas of law enforcement 
and homeland security as well — with access to full Social Security numbers. All 
these accounts are carefully vetted. It’s important to note that we have never grant- 
ed ad hoc access to full Social Security numbers and that West serves a specialized 
market of legal and government professionals — not a consumer-oriented market. 

Opt-in policy 

In the past few months. West has worked with our government customers to fully 
institute an opt-in policy; that is, a policy that assumes a government account will 
not have full access to Social Security numbers. Under this new policy, accounts 
that need access to full Social Security numbers will be granted access only to speci- 
fied and qualified individuals. Moving forward, all new contracts West enters with 
government agencies will be opt-in only. 

Enhanced usage tracking and Westlaw reminders 

West also has introduced new procedures to monitor databases that contain Social 
Security numbers for unusual use patterns, and on a go-forward basis, customers 
permitted to view full Social Security numbers on Westlaw will see a special notifi- 
cation message — any time — they — access — these databases. — This message will re- 
mind the user that he or she is among a — limited — number of people given privi- 
leged access to this information, and that it must be used only for appropriate pur- 
poses and in compliance with the law and the privacy terms West imposes. This will 
ensure that individual users are aware of their responsibility in accessing Social Se- 
curity numbers as well as their unique privilege to use this information. 

West’s policy goes well beyond what’s required under — various privacy — laws. We 
are committed to working with this Committee to fully explore this complex issue. 
We also hope to work with you, federal agencies and the industry to ensure that 
the public is protected from fraud and that those committed to fighting and pros- 
ecuting these crimes will have the information they need to do their important 
work. 


PRIVACY GUIDELINES AND REGULATIONS 

And that is why I’m here today. West recognizes the need for guidelines, and we 
would welcome the opportunity to work with you to advance a variety of approaches. 
From our business perspective, here are some areas where we welcome clarity and 
guidance: 

• Establishing a uniform notification system that informs customers whose data 

may have been compromised 

• Allowing a government agency to have an appropriate regulatory role over public 

data providers, similar to the regulatory role the Federal Trade Commission 
currently has regarding data matters in financial institutions 

• Requiring senior management in data companies that deal with Social Security 

numbers to sign off on a business’s security and privacy arrangements 
Also, you may want to consider the following ideas that haven’t heen as widely 
discussed: 

• Legislation that would establish a universally applied method for masking Social 

Security numbers. (Now there are several common ways that entities mask So- 
cial Security numbers. Some mask the first five digits and others truncate the 
last four. This might allow someone to determine a full Social Security number 
by using two differently masked numbers.) 

• Encouraging each business in this space to find an alternative technology solu- 

tion — instead of Social Security numbers — to create a unique locator that distin- 
guishes one individual with the same name from another. This approach would 
be specific to each business; it wouldn’t be uniform across the industry. 

CONCLUSION 

Thank you for your interest, your hard work and allowing West to be part of your 
discussion. I look forward to continuing to work with you on this important matter 
as we balance individuals’ rights to privacy with the national concern for justice and 
homeland security. 



22 


Mr. Stearns. I thank the gentleman. Mr. Ireland, well, welcome. 

STATEMENT OF OLIVER I. IRELAND 

Mr. Ireland. Good morning. Chairman Stearns 

Mr. Stearns. I just need you to 

Mr. Ireland, [continuing] Ranking Member Schakowsky, and 
members of the subcommittee. My name is Oliver Ireland. I am a 
partner in the Washington, DC office of Morrison and Foerster, and 
I am pleased to be here today on behalf of Visa U.S.A. to address 
the issue of consumer information security. 

Visa has long recognized the importance of protecting cardholder 
information. The Visa system provides for zero liability for card- 
holders for unauthorized transactions. Therefore, Visa members, 
card issuers incur the costs of fraudulent transactions that may re- 
sult from unauthorized access to cardholder information and have 
a strong interest in protecting that information. 

Further, existing Federal law obligates financial institutions to 
protect their customers’ information. Under Section 501(b) of the 
Gramm-Leach-Bliley Act, the Federal banking agencies and the 
Federal Trade Commission have established information security 
standards for the financial institution subject to their jurisdiction. 
But many holders of sensitive personal information, including, for 
example, employers and retail merchants, are not financial institu- 
tions subject to the 501(b) rule. In part, to address this gap. Visa 
is implementing a comprehensive Cardholder Information Security 
Plan or CISP. CISP requires all holders of cardholder information, 
including merchants, to comply with the “Visa Digital Dozen,” 12 
basic requirements for safeguarding customer information. 

Visa also uses sophisticated neural networks to detect and block 
transactions where fraud is suspected. These networks, coupled 
with CISP and Visa’s zero liability policy provide a high degree of 
protection from fraudulent credit card transactions to cardholders. 
Nevertheless, Visa believes that all businesses that maintain sen- 
sitive personal information should be subject to uniform national 
requirements to protect that sensitive information. 

Closely related to the issue of information security is the ques- 
tion of what to do if a security breach occurs. Visa believes that 
where the breach creates a substantial risk of harm to consumers, 
that the consumers can take action to prevent, the consumers 
should be notified so that they can take the appropriate action. 
Both Federal and California law already address this issue. For ex- 
ample, the California law currently requires notice to individuals 
of a breach of security involving their computerized personal infor- 
mation. Other States have enacted or are considering security 
breach notification laws. However, the details of these laws differ. 

The Federal banking agencies have also issued guidance that re- 
quires banking institutions that experience a breach of security in- 
volving sensitive customer information to notify customers where 
misuse of the information has occurred or is reasonably possible. 

The fact that States are not addressing notification in a uniform 
way creates a critical need for a single, national standard for notifi- 
cation. A single standard will avoid confusion among consumers as 
to the meaning of notices that they receive and among holders of 
consumer information as to their notification responsibilities. 



23 


Further, any legislation on security breach notification should 
recognize compliance with the banking agency guidance that is al- 
ready in place as compliance with any Federal notification require- 
ment. Further, such notification requirements should be risk-based 
to avoid inundating consumers with notices where no action by con- 
sumers is required. As FTC Chair Majoras has testified, notices 
should be sent only if there is a significant risk of harm. 

Thank you again for the opportunity to be here today. I would 
be happy to answer any questions from the members of this com- 
mittee. 

[The prepared statement of Oliver I. Ireland follows:] 

Prepared Statement of Oliver I. Ireland on Behalf of Visa U.S.A. Inc. 

Good morning Chairman Stearns, Ranking Member Schakowsky, and Members of 
the Subcommittee. I am a partner in the law firm of Morrison & Foerster LLP, and 
practice in the firm’s Washington, D.C. office. I am pleased to appear before the 
Subcommittee on behalf of the Visa, U.S.A. Inc., to discuss the important issue of 
consumer information security. 

The Visa Payment System, of which Visa U.S.A. is a part, is the largest consumer 
payment system, and the leading consumer e-commerce payment system, in the 
world, with more volume than all other major payment cards combined. Visa plays 
a pivotal role in advancing new payment products and technologies, including tech- 
nology initiatives for protecting personal information and preventing identity theft 
and other fraud. 

Visa commends the Subcommittee for focusing on the important issue of informa- 
tion security. As the leading consumer electronic commerce pa3ment system in the 
world. Visa considers it a top priority to remain a leader in developing and imple- 
menting technology, products, and services that protect consumers from the effects 
of information security breaches. As a result, Visa has long recognized the impor- 
tance of strict internal procedures to protect Visa’s members’ cardholder informa- 
tion, thereby to protect the integrity of the Visa system. 

Visa has substantial incentives to maintain strong security measures to protect 
cardholder information. The Visa system provides for zero liability to cardholders 
for unauthorized transactions. Cardholders are not responsible for unauthorized use 
of their cards. The Visa Zero Liability policy guarantees maximum protection for 
Visa cardholders against fraud due to information security breaches. Because the 
financial institutions that are Visa members do not impose the losses for fraudulent 
transactions on their cardholder customers, these institutions incur costs from 
fraudulent transactions. These costs are in the form of direct dollar losses from cred- 
it that will not be repaid, and also can be in the form of indirect costs attributable 
to the harm and inconvenience that might be felt by cardholders or merchants. Ac- 
cordingly, Visa aggressively protects the cardholder information of its members. 

EXISTING federal LAWS AND RULES FOR INFORMATION SECURITY 

Existing federal laws and regulations also obligate financial institutions to protect 
the personal information of their customers. Rules adopted under section 501(b) of 
the Gramm-Leach-Bliley Act of 1999 by the federal banking agencies and the Fed- 
eral Trade Commission (“FTC”) (“GLBA 501(b) Rules”) establish information secu- 
rity standards for the financial institutions subject to the jurisdiction of these agen- 
cies. Under the GLBA 501(b) Rules, financial institutions must establish and main- 
tain comprehensive information security programs to identify and assess the risks 
to customer information and then control these potential risks by adopting appro- 
priate security measures. 

Each financial institution’s program for information security must be risk-based. 
Every institution must tailor its program to the specific characteristics of its busi- 
ness, customer information and information systems, and must continuously assess 
the threats to its customer information and systems. As those threats change, the 
institution must appropriately adjust and upgrade its security measures to respond 
to those threats. 

However, the scope of the GLBA 501(b) Rules is limited. Many holders of sensitive 
personal information are not financial institutions covered by the GLBA 501(b) 
Rules. For example, employers and most retail merchants are not covered by the 
GLBA 501(b) Rules, even though they may possess sensitive information about con- 
sumers. 



24 


visa’s cardholder information security plan 

Because of its concerns about the adequacy of the security of information about 
Visa cardholders, Visa has developed and is implementing a comprehensive and ag- 
gressive customer information security program known as the Cardholder Informa- 
tion Security Plan (“CISP”). CISP applies to all entities, including merchants, that 
store, process, transmit, or hold Visa cardholder data, and covers enterprises oper- 
ating through brick-and-mortar stores, mail and telephone order centers, or the 
Internet. CISP was developed to ensure that the cardholder information of Visa’s 
members is kept protected and confidential. CISP includes not only data security 
standards but also provisions for monitoring compliance with CISP and sanctions 
for failure to comply. 

As a part of CISP, Visa requires all participating entities to comply with the “Visa 
Digital Dozen” — twelve basic requirements for safeguarding accounts. These include: 
(1) install and maintain a working network firewall to protect data; (2) do not use 
vendor-supplied defaults for system passwords and security parameters; (3) protect 
stored data; (4) encrypt data sent across public networks; (5) use and regularly up- 
date anti-virus software; (6) develop and maintain secure systems and applications; 
(7) restrict access to data on a “need-to-know” basis; (8) assign a unique ID to each 
person with computer access; (9) restrict physical access to data; (10) track all ac- 
cess to network resources and data; (11) regularly test security systems and proc- 
esses; and (12) implement and maintain an overall information security policy. 

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD 

Visa is not the only credit card organization that has developed security stand- 
ards. In order to avoid the potential for imposing conflicting requirements on mer- 
chants and others, in December of 2004, Visa, MasterCard, American Express, Dis- 
cover, and Diners Club collaborated to align their respective data security require- 
ments for merchants and third parties. Visa found that the differences between 
these security programs were more procedural than substantive. Therefore, Visa has 
been able to integrate CISP into a common set of data security requirements with- 
out diluting the substantive measures for information security already developed in 
CISP. Visa supports this new, common set of data security requirements, which is 
known as the Payment Card Industry Data Security Standard (“PCI Standard”). 

NEURAL NETWORKS TO DETECT FRAUD AND BLOCK POTENTIALLY UNAUTHORIZED 

TRANSACTIONS 

In addition to the CISP program, which helps to prevent the use of cardholder 
information for fraudulent purposes. Visa uses sophisticated neural networks that 
flag unusual spending patterns for fraud and block the authorization of transactions 
where fraud is suspected. When cardholder information is compromised. Visa noti- 
fies the issuing financial institution and puts the affected card numbers on a special 
monitoring status. If Visa detects any unusual activity in that group of cards. Visa 
again notifies the issuing institutions, which begin a process of investigation and 
card re-issuance. These networks, coupled with CISP and Visa’s Zero Li^ility, pro- 
vide a high degree of protection from fraudulent credit card transactions to card- 
holders. 


EXPANSION OF EXISTING REQUIREMENTS 

Current protections notwithstanding. Visa believes that an obligation to protect 
sensitive personal information, similar to the GLBA 501(b) Rules, should apply 
broadly so that all businesses that maintain sensitive personal information will es- 
tablish information security programs. Because consumer information knows no 
boundaries, it is critical that this obligation be uniform across all institutions in all 
jurisdictions. 


SECURITY BREACH NOTIFICATION 

Closely related to the issue of information security is the question of what to do 
if a breach of that security occurs. Visa believes that where the breach creates a 
substantial risk of harm to consumers that the consumers can take action to pre- 
vent, the consumers should be notified about the breach so that they can take ap- 
propriate action to protect themselves. Both federal and California law already ad- 
dress this issue. California law currently requires notice to individuals of a breach 
of security involving their computerized personal information. The California law fo- 
cuses on discrete types of information that are deemed to he sensitive personal in- 
formation. The statute defines sensitive personal information as an individual’s 
name plus any of the following: Social Security Number, driver’s license number. 



25 


California identification card number, or a financial account number, credit or debit 
card account number, in combination with any code that would permit access to the 
account. The California law includes an exception to the notification requirement 
when this personal information has been encrypted. The California law only re- 
quires notice to be provided when personal information is “acquired by an unauthor- 
ized person.” Other states recently have enacted or are considering security breach 
notification laws; however, the details of some of the laws differ. 

In March, the federal banking agencies issued final interagency guidance on re- 
sponse programs for unauthorized access to customer information and customer no- 
tice (“Guidance”). The Guidance applies to all financial institutions that are subject 
to banking agency GLBA 501(b) Rules and requires every covered institution that 
experiences a breach of security involving sensitive customer information to: (1) no- 
tify the institution’s primary federal regulator; (2) notify appropriate law enforce- 
ment authorities consistent with existing suspicious activity report rules; and (3) no- 
tify its affected customers where misuse of the information has occurred or is rea- 
sonably possible. 

The keen interest that states have shown to legislate on the issue of security 
breach notification emphasizes the need for a single national standard for security 
breach notification in order to avoid confusion among consumers as to the signifi- 
cance of notices that they receive and among holders of information about con- 
sumers as to their notification responsibilities. In addition, any legislation on secu- 
rity breach notification should recognize compliance with the Guidance as compli- 
ance with any notification requirements. 

Visa believes that a workable notification law that would require entities that 
maintain computerized sensitive personal information to notify individuals upon dis- 
covering a significant breach of security of that data should be risk-based to avoid 
inundating consumers with notices where no action by consumers is required. As 
FTC Chairwoman Majoras recently testified to Congress, notices should be sent only 
if there is a “significant risk of harm,” because notices sent when there is not a sig- 
nificant risk of harm actually can cause individuals to overlook those notices that 
really are important. 

Thank you, again, for the opportunity to present this testimony today. I would be 
happy to answer any questions. 

Mr. Stearns. I thank the gentleman. Mr. Burton, welcome. 

STATEMENT OF DANIEL BURTON 

Mr. Burton. Thank you, Chairman Stearns, Ranking Member 
Schakowsky, distinguished members of the subcommittee. I appre- 
ciate your holding this hearing and giving me the opportunity to 
testify. My name is Daniel Burton. I am vice president of govern- 
ment affairs for Entrust, Inc. 

Entrust is a world leader in securing digital identities and infor- 
mation. As a security software company, we are in the business of 
protecting our customers, and by extension, your constituents, with 
proven technology solutions. Over 1,200 enterprises and govern- 
ment agencies in more than 50 countries rely on Entrust software, 
including the U.S. Department of Treasury, the Department of Jus- 
tice, and several nuclear laboratories. So we have a lot of experi- 
ence in this field. 

I would first like to note with great appreciate this subcommit- 
tee’s longstanding interest in online privacy. You have followed this 
issue closely for several years and built up considerable expertise. 
As a result, this committee is very well-positioned to play a leader- 
ship role in this debate. 

The privacy issues we are facing today are very different than 
they were a few years ago. Then, much of the debate revolved 
around limited opt-in and opt-out provisions. Today, with the 
rampant theft of confidential personal information, the Internet 
privacy debate is focused squarely on security. 



26 


This shift in emphasis represents a sea of change for public pol- 
icy. For years we have enjoyed the productivity improvements that 
network computing afforded and tolerated the nuisances that came 
with it. Today, these nuisances are overshadowed by a much more 
sinister problem, organized crime. 

Just like companies and governments, criminals have realized 
that the Internet is a powerful business tool. For criminals, gaining 
access to computerized credit card information. Social Security 
numbers, and other identifiers is a gateway to ready cash. Com- 
puter hackers no longer fit the profile of pimply faced teenagers 
who lose interest as soon as they get a girlfriend. Increasingly, they 
are skilled criminals who have a sophisticated business plan, 
mount wholesale attacks, move quickly around the world, and 
cover their tracks. 

Identify theft is not limited to data brokers. The breaches at 
ChoicePoint and Lexis-Nexis may have sparked public outrage, but 
the problem goes much deeper. Discount Shoe Warehouse, the San 
Jose Medical Group, George Mason University, SAIC, Time War- 
ner, none of these are data brokers, yet all have suffered breaches 
of highly sensitive personal information. 

Focusing remedies exclusively on data brokers is like protecting 
your home from burglars by locking your doors but leaving your 
windows wide open. It may make you feel better, but it won’t pre- 
vent a robbery. Similarly, passing a law that requires only data 
brokers to issue notifications when their systems are breached will 
do nothing to safeguard the reams of personal information that are 
held by other organizations. 

It is for this reason that the recent State breach notification laws 
cover anyone that owns or licenses computerized data that includes 
personal information. As you know, several States have already 
passed such bills, and many more are considering them. There is 
a very real possibility that by this summer we could see over a 
dozen competing State breach notification laws in effect. 

Given the reality of cyber crime, breaches, and State legislation. 
Congress needs to act. Entrust believes the Federal legislation 
could help and recommends the following measures for consider- 
ation: No. 1, establish a uniform national breach notification policy 
for unauthorized access to unencrypted personal information. If 
personal data is appropriately encrypted, notification should not be 
required. That is because even if the data is stolen, it will show up 
as random characters that won’t make any sense to thieves unless 
they have the proper access codes. Since not all encryption is reli- 
able, however. Congress should insist that it meets standards de- 
veloped by the National Institute of Standards and Technology. 

No. 2, require second factor authentication for access to sensitive 
personal information. The FDIC said it best in its report “Putting 
an End to Account-Hijacking Identify Theft.” Its lead recommenda- 
tion, upgrading existing password-based, single factor customer au- 
thentication systems to two factor authentication. Simple user 
name and passwords are too easily breached. They must be backed 
up with physical tokens containing secret access codes the legiti- 
mate users keep in their possession. 

No. 3, encourage enterprises that hold sensitive personal infor- 
mation to use technological and other means to assure compliance 



27 


with their privacy policies. Since the majority of breaches come 
from insiders, organizations can significantly improve data security 
by deploying automated tools that screen email for privacy viola- 
tions. 

The fourth recommendation is to extend security requirements 
similar to the Gramm-Leach-Bliley Act safeguards to all entities 
that retain sensitive personal information. 

In conclusion, this subcommittee has a vital role to play in the 
effort to security computerized personal information. Entrust is 
doing its best to help organizations implement strong technology 
safeguards and looks forward to working with you to see that they 
are complemented with effective public policy. 

[The prepared statement of Daniel Burton follows:] 

Prepared Statement of Daniel Burton, Vice President of Government 
Affairs, Entrust, Inc. 

Good Morning. Chairman Stearns and distinguished Members of the Sub- 
committee, thank you for holding this hearing and giving me the opportunity to pro- 
vide testimony on this important subject. My name is Daniel Burton, and I am Vice 
President of Government Affairs for Entrust, Inc. In my testimony today, I will dis- 
cuss the impact of security breaches and what we can do about them. 

Entrust is a world leader in securing digital identities and information. As a secu- 
rity software company, we are in the business of protecting our customers — and by 
extension your constituents — with proven technology solutions that secure digital in- 
formation. Over 1,200 enterprises and government agencies in more than 60 coun- 
tries, including the US Department of Treasury, the Department of Justice and nu- 
merous nuclear laboratories, rely on Entrust software, so we have a lot of experience 
in this field. Entrust provides software solutions that protect your digital identity 
through authentication, enforce policy through advanced content scanning, and pro- 
tect your information assets through encryption. Our mission is to work with cus- 
tomers to put in place the technologies, policies, and procedures necessary to protect 
digital identities and information. 

I would like to note with appreciation this committee’s longstanding interest in 
on-line privacy. As a company that is on the front lines of the daily battle to protect 
sensitive information, Entrust applauds your activities and encourages your contin- 
ued leadership in this area. You have followed this issue closely for several years 
and built up considerable expertise. As a result, you are well positioned to play a 
critical role in protecting the privacy of individuals, companies and governments. 

The privacy issues we are facing today are very different than they were a few 
years ago. Then, much of the debate revolved around limited “opt-in” and “opt-out” 
provisions that determined what kind of consent was necessary to share personal 
information for marketing purposes. Today, with rampant theft of confidential per- 
sonal information a reality, the Internet privacy debate is focused on squarely on 
security. 


CRIME on the net 

This shift in emphasis — from nuisance to outright crime — represents a sea change 
for public policy. For years we have enjoyed the productivity improvements that 
networked computing afforded and learned to live with the nuisances that came 
with it. We may have been concerned about hacking for “honor” and other pranks, 
but like early version of spam, viruses and unsolicited marketing campaigns, we tol- 
erated them as a small price to pay for the extraordinary dividends the Internet pro- 
vided. Today, these nuisances are overshadowed by a much more sinister problem — 
organized crime. 

Just like companies and governments, criminals have come to realize that the 
Internet is a powerful business tool. As mountains of sensitive personal, corporate 
and government information have moved onto the net, crime has too. For criminals, 
gaining access to names, addresses, credit card information, social security numbers 
and other identifiers is a gateway to ready cash. As a result, computer hackers no 
longer fit the profile of pimply faced teenagers who lose interest as soon as they get 
a girlfriend. Increasingly, they are skilled criminals who have a sophisticated busi- 
ness plan, mount wholesale attacks, move quickly around the globe and cover their 
tracks. Our understanding of these crimes and the role of law enforcement is still 
evolving, but the stakes are high. If Internet crime causes American consumers to 



28 


retreat from online transactions, U.S. business and government will suffer huge pro- 
ductivity reversals that could cripple not only e-commerce, but also the economy at 
large. 

The statistics are staggering. The Federal Trade Commission estimates that 9-10 
million Americans are victims of identity theft per year. Total cost to business and 
consumers is approaching $50 billion. Almost 2 million US adult Internet users had 
their identities stolen in 2004. Almost 12% of the fraud is online. 

As a result, the public temperature is rising. A January 2006 IDC Survey showed 
that close to 60% of US consumers are concerned about identity theft, and almost 
6% have taken the remarkable step of switching banks as a result. A survey that 
Entrust conducted reaffirmed this concern. It found that 80% of individuals are wor- 
ried about someone stealing their on-line identity and using it to access their on- 
line bank accounts. 

The underlying question of this hearing is whether we are doing enough to protect 
confidential information. The answer, unfortunately, is that as a nation we are not 
prepared to deal with the reality of cybercrime. The necessary legal framework to 
safeguard consumers and companies is still incomplete; enforcement efforts and re- 
sources are inadequate; and much of the private sector is still in denial. 

BIGGER THAN BANKS, HOSPITALS AND DATA BROKERS 

The identity theft crisis extends well beyond regulated industries like banking 
and healthcare that many people view as guardians of their sensitive information. 
It’s even bigger than data brokers, despite all the attention they have received late- 
ly. The breaches at Bank of America, Choicepoint and Lexis-Nexis may have 
sparked public outrage about identity theft, but you only have to look at the kinds 
of organizations that have announced breaches in recent months to understand that 
the problem goes much deeper. Discount Shoe Warehouse, Paymaxx, the San Jose 
Medical Group, the University of California at Berkeley, George Mason University, 
SAIC, Time Warner — none of these are data brokers, yet they all suffered breaches 
of highly sensitive personal information. The scope of these breaches demonstrates 
that the universe of organizations holding sensitive personal information is quite 
large. Focusing remedies exclusively on data brokers is like protecting your home 
from burglars by locking the front door and leaving all the windows wide open. It 
may make you feel better, but it won’t do much to prevent a robbery. Similarly, 
passing a law that requires only data brokers to issue notifications when their sys- 
tems are breached will do nothing to safeguard the mountains of personal informa- 
tion that are held by other organizations. True success lies in a much broader ap- 
proach. 

It is for this reason that the recent state breach notification laws we see around 
the country are not limited to banks, healthcare providers and data brokers. It may 
interest you to know that many of the most proactive states in this arena are rep- 
resented by members of this Committee. For example, California was the first state 
to pass such a bill (H.B. 1386). It took effect on July 1, 2003 and requires a state 
agency, person or business that conducts business in California, and that owns or 
licenses computerized data that includes personal information to disclose breaches 
of unencrypted personal information to California residents. Arkansas has also 
passed a disclosure law (Senate Bill 1167) that covers “individuals, businesses and 
state agencies that acquire, own or license personal information about the citizens 
of the State of Arkansas . . .” Florida has a bill (H.B. 481) awaiting the Governor’s 
signature that covers “Any person who conducts business in this state and main- 
tains computerized data in a system that includes personal information . . .” In all, 
over twenty states have introduced such legislation, and there is a possibility that 
we could have over a dozen competing and conflicting state breach notification laws 
in effect by this summer. 

Given this backdrop of crime, systematic breaches and proliferating state legisla- 
tion, Congress needs to act. 

TECHNOLOGY AND PUBLIC POLICY 

In trying to determine what role Congress should play, it is important to under- 
stand some of the key technologies underlying information security. I will focus on 
two: confidentiality and authentication. Confidentiality means assuring that infor- 
mation is not disclosed to unauthorized persons. E oding or scrambling of informa- 
tion so that it can only be decoded and read by someone with the correct decoding 
key — is the technology often associated with confidentiality. Encryption comes in dif- 
ferent strengths. Many of the state breach notification bills make specific reference 
to it. 



29 


Data in transit, such as e-mail, presents different encryption challenges than 
stored data. And since stored data is held in a variety of repositories, from 
mainframes to laptops, and in different ways, such as data bases and directories, 
it presents unique encryption challenges of its own. Software applications and data 
bases are typically built for speed, not security, so the issue is not just whether to 
encrypt them, but how and where to apply it. Not all data must be encrypted, but 
there is an increasing demand to encrypt sensitive personal data, even if it affects 
performance. 

Authentication means corroborating that a user is who they claim to be. It is often 
linked closely with authorization, which means that you have the right to access the 
information in question. Authentication technologies include user name and pass- 
word (referred to as first factor since they relate to something you know) and phys- 
ical tokens with secret codes (referred to as second factor since they are something 
you have). An even stronger form of authentication technology is the digital certifi- 
cate, which is an electronic identifier that establishes your credentials. Digital cer- 
tificates are issued by a certification authority. They contain your name, a serial 
number, expiration dates, a copy of the certificate holder’s public key (used for 
encrypting messages and digital signatures), and the digital signature of the certifi- 
cate-issuing authority so that a recipient can verify that the certificate is real. Using 
public key cryptography and digital certificates, the sender can assure that only the 
intended recipient can — open the message, and the recipient knows that only the 
authorized sender could have sent the message. 

Much of the public policy debate about identity theft has focused on the need to 
authenticate consumer identities. Just as important, however, is the need to authen- 
ticate employer and supplier identities at both ends of a transaction. Since many 
breaches are internal, proper authentication of the employees, customers and part- 
ners who have privileged access to information is critical to preventing identity 
theft. 


THE NEED FOR ADDITIONAL LEGISLATIVE SAFEGUARDS 

There has been a lot of discussion about whether existing law is sufficient to pre- 
vent identity theft. Although industry at large has traditionally opposed federal leg- 
islation in this area, rampant identity theft, the proliferation of security breaches, 
and the passage of state breach notification laws have caused many companies to 
change their view. Entrust believes that additional Federal legislation could assist 
holders of sensitive personal information in their efforts to prevent consumer fraud 
and identity theft. Specifically, we believe that the following measures deserve con- 
sideration. 

1. Establish a uniform national breach notification policy for unauthorized access to 
unencrypted personal information. 

Breach notification laws are necessary to inform consumers when their sensitive 
personal information has been compromised so that they can guard themselves 
against identity crimes. As mentioned above, several states have passed breach noti- 
fication laws and many more have introduced this legislation. A uniform national 
notification standard is needed to preempt conflicting state laws and establish con- 
sistent requirements. In weighing such a provision. Congress should keep in mind 
two important criteria that are enshrined in state law. 

First, the notification requirement should apply to all entities that hold sensitive 
personal information. Confidential information is held by a wide variety of institu- 
tions, including employers, retailers, lawyers and government agencies. If the Fed- 
eral notification requirement is limited to data brokers and regulated industries like 
banking and health-care, none of these other organizations will be covered. If this 
were the case, organizations like SAIC, Time Warner, George Mason University and 
Discount Shoe Warehouse — all of whom have suffered breaches and sent out notifi- 
cations in recent months — would not be required by Federal law to notify those peo- 
ple whose identities had been compromised. 

Second, and just as important, if the personal information is appropriately 
encrypted, notification should not be required. The reason for this provision is that 
unauthorized access to encrypted data reveals only scrambled code that is meaning- 
less. For example, if the personal information of the 600,000 current and former em- 
ployees of Time Warner had been encrypted on the tapes that were lost, there would 
have been very little risk of identity theft because the information would have been 
unintelligible to anyone without the proper access. 

There are several different kinds of encryption, however, not all of which are reli- 
able. To insure that the encryption is adequate. Congress should insist on the 
encryption standards developed by the National Institute of Standards and Tech- 
nology. Organizations that suffer breaches should not have to issue notifications if 



30 


their data, whether in storage or in transit, is encrypted with a NIST approved 
encryption algorithm, uses NIST approved key management techniques and has cryp- 
tographic operations performed within a FIPS 140 validated cryptographic module. 

2. Require second factor authentication for access to sensitive personal information. 

The Federal Deposit Insurance Corporation (FDIC) issued a thorough study of 

identity theft in its December 2004 report, Putting an End to Account-Hijacking 
Identity Theft. The FDIC’s lead recommendation is “Upgrading existing password- 
based single-factor customer authentication systems to two-factor authentication.” 
Industry analysts have confirmed this view. Jonathan Penn, an analyst at 
Forrester, has written that “In response to consumers’ rising concerns about fraud 
and identity theft, many organizations are evaluating strong authentication solu- 
tions . . .” And John Pescatore, an analyst with Gartner, has written “When you get 
to the core issue of most identity theft attacks, it really falls back to needing strong- 
er authentication . . .” 

The problem with two-factor authentication is that, until recently, it was difficult 
to administer and prohibitively expensive to implement on a large scale. Fortu- 
nately, new technology breakthroughs by Entrust and others have substantially re- 
duced the cost and complexity associated with two factor authentication. These 
breakthroughs should facilitate the broader use of this technology to organizations 
that must safeguard large quantities of digital identities. 

3. Encourage enterprises that hold sensitive personal information to use technological 

and other means to assure compliance with their privacy policies. 

Since the majority of breaches come from insiders, one way to limit them is for 
organizations to screen communications for privacy violations. The FDIC has al- 
ready highlighted this imperative in its safeguards guidance to financial institu- 
tions, recommending that they establish controls to prevent employees from pro- 
viding customer information to unauthorized individuals. Since banks are not the 
only ones holding sensitive personal information, these controls should be extended 
to non-financial institutions as well. 

Because the majority of electronic data is at some point associated with e-mail, 
controls that assure outgoing e-mail communications and attachments comply with 
privacy policies can help reduce identity theft. To the extent that organizations mon- 
itor e-mail traffic at all, however, many rely on a manual review of only a small 
sample of e-mail traffic. Fortunately, technology now exists that has automated com- 
pliance controls capable of blocking, archiving, redirecting or securing e-mail com- 
munications in real-time. Enterprises that are in the business of holding sensitive 
personal information should be encouraged to consider adopting it. 

4. Extend security requirements similar to the Gramm-Leach-Bliley Act safeguards 

for financial institutions to all entities that retain sensitive personal information. 

This Subcommittee should consider extending the risk management, reporting 
and accountability requirements documented in FDIC and FTC safeguards guidance 
to all enterprises that hold sensitive personal information. Title V of the Gramm- 
Leach-Bliley Act (GLBA) states that financial institutions must establish safeguards 
for customer records and information. In her testimony before this Subcommittee on 
March 15, 2005, the Chair of the Federal Trade Commission, Deborah Majoras, 
noted that to the extent that data brokers fall within the GLBA definition of finan- 
cial institutions they must abide by these safeguards. As discussed earlier, however, 
limiting the extension of the GLBA safeguards only to data brokers would overlook 
the vast numbers of other organizations that hold sensitive personal information 
and do little to stem the tide of identity theft. 

Since any discussion of security safeguards raises questions about technology 
mandates, it is important to emphasize that the regulatory guidance for imple- 
menting the GLBA safeguards addresses such issues as the need to develop a writ- 
ten security plan, to designate appropriate personnel to oversee it, and to conduct 
a risk assessment. None of these is a technology requirement. Instead, they relate 
to sound management practices. The National Cyber Security Summit Task Force 
on Information Security Governance that Entrust CEO Bill Conner co-chaired took 
a similar approach. In its April 2004 report. Information Security Governance: A 
Call to Action, it concluded that “The best way to strengthen US information secu- 
rity is to treat it as a corporate governance issue that requires the attention of 
Boards and CEOs.” It recommended that CEOs have an annual information security 
evaluation conducted, review the evaluation results with staff, and report on per- 
formance to their board of directors. In addition, it emphasized the need for organi- 
zations to establish a security management structure to assign explicit individual 
roles, responsibility, authority and accountability. 



31 


CONCLUSION 

This Subcommittee has an important role to play in the effort to secure personal 
data. The goal is clear. We should do everything we can to encourage holders of sen- 
sitive information to secure it from unauthorized access and, in the event of a 
breach, to notify individuals so that they can protect themselves. The reality of 
rampant identity theft is proof that we have no time to waste. The fact that sen- 
sitive personal information is held by a wide variety of organizations demonstrates 
that a narrow solution will be insufficient. 

Information security is not only a technical issue, but also a governance challenge. 
Technology solutions, like encryption, strong authentication and automated e-mail 
compliance with privacy policies, can do a lot to prevent unauthorized access to per- 
sonal information. But they must be grounded in the risk management, reporting 
and accountability that can only be implemented with the active engagement of ex- 
ecutive management. 

Mr. Stearns. I thank the gentleman. We are on a vote, but I 
think we — Mr. Solove, I think we can get your opening statement, 
and then we will recess and come right back. So go ahead. Wel- 
come. 


STATEMENT OF DANIEL J. SOLOVE 

Mr. Solove. Mr. Chairman, Congresswoman Schakowsky, mem- 
bers of the committee, thank you for inviting me to appear before 
you and provide testimony. My name is Daniel Solove, and I am 
an associate professor of law at George Washington University Law 
School. I have published over a dozen articles as well as two books 
about information privacy. My most recent book, “The Digital Per- 
son,” discusses the issues at this hearing in depth. It was published 
in December 2004. 

The litany of data leaks and improper access to personal data are 
the symptoms of a significant problem that Congress must address. 
It is important to understand the nature of the problem, and I 
think this extends beyond just a security issue. 

We are increasingly living with digital dossiers about our lives. 
These repositories of personal data can affect whether we get a 
loan, a license, or a job. The central problem that we face today, 
the central problem is that it is caused by a lack of individual par- 
ticipation and empowerment when it comes to the collection and 
use of personal data and a lack of accountability among the compa- 
nies that handle that data. 

Today, people lack much participation in how their data is used 
and disseminated. Identify theft is difficult for victims to detect be- 
cause they have little knowledge about the information being cir- 
culated about them. Therefore, solutions to the problem must pro- 
vide individuals with greater knowledge and control about how 
their data is used. People must be provided meaningful remedies 
when their data is leaked and misused. Without meaningful rem- 
edies, mere notice of a leak is akin to a company saying we just 
had a toxic spill in your backyard. It might cause you harm, so you 
might want to have periodic medical checkups. 

Because people have so little participation and power over their 
information, it is very hard for them to clean up their records in 
the event of an identity theft. Congress should ensure that victims 
of identity theft have appropriate tools to repair the damage quick- 
ly- 

The harm to victims in an identity theft is facilitated by Social 
Security numbers, birth dates, and other pieces of personal data 



32 


being used by companies as passwords to obtain access to accounts 
or to sign up for a credit card. If the practice of using Social Secu- 
rity numbers as passwords were halted, the leakage of Social Secu- 
rity numbers would not be so dangerous and damaging to individ- 
uals. 

The Gramm-Leach-Bliley Act requires security safeguards for 
personal data maintained by financial institutions. Despite these 
safeguards, many financial institutions continue to use Social Secu- 
rity numbers as passwords. Why doesn’t the FTC enforce these se- 
curity standards to halt this practice? Well, I can postulate a num- 
ber of reasons, and I think one of the primary reasons is that these 
security standards are incredibly vague and they haven’t provided 
adequate guidance. I think to be effective in crafting security 
standards, they must apply widely and they must be specific with- 
out being overly constraining. 

Beyond identity theft, people lack the ability to easily locate and 
fix errors in their records that may cause them harm. People’s dos- 
siers are often riddled with inaccuracies. The Fair Credit Reporting 
Act requires consumer reporting agencies to maintain procedures to 
ensure maximum possible accuracy. However, many data brokers 
have data bases they claim fall outside of the Fair Credit Reporting 
Act. And little is done more systemically to ensure the accuracy of 
records systems used for background checks and other decisions 
about people’s lives. 

I believe that the security breaches that we are facing today are 
part of a larger problem, one involving information privacy. Infor- 
mation today is protected in a piecemeal fashion based on who 
holds it. The same piece of data might be protected if it is held by 
a video rental store but completely unprotected in the hands of 
data brokers like ChoicePoint. 

The current regulation of information has tremendous gaps and 
loopholes. We have a system that does not provide adequate ac- 
countability among the users of personal information. We have a 
system that, to a large extent, leaves people out in the cold who 
are victimized by identity theft or harmed by an erroneous report. 

Congress must put individuals back in control of their data and 
ensure that companies are accountable for the way that they han- 
dle and use that data. Thank you very much. 

[The prepared statement of Daniel J. Solove follows:] 

Prepared Statement of Daniel J. Solove, Associate Professor of Law, 
George Washington University Law School 

I. INTRODUCTION 

Mr. Chairman, members of the Committee, thank you for inviting me to appear 
before you and provide testimony. My name is Daniel Solove and I am an associate 
professor of law at the George Washington University Law School. I write exten- 
sively about information privacy law issues and have published well over a dozen 
law review articles as well as two books. The Digital Person: Technology and 
Privacy in the Information Age (NYU Press December 2004) and Information 
Privacy Law (Aspen 2003) (with Marc Rotenberg). 

The announcement of recent data breaches at a variety of companies and institu- 
tions have affected millions of people. As one article notes: 

In breaches reported publicly since February, more than 2.5 million records 
may have been exposed to thieves at data broker ChoicePoint, retailer DSW, 



33 


news and information broker LexisNexis, the University of California at Berke- 
ley and elsewhere.' 

I will not discuss the series of data breaches that have lead to this hearing, as 
I am sure that you are all familiar with them. Instead, I will focus my comments 
on what can he done to address the problems and how we can better protect infor- 
mation privacy. My remarks will focus on two points. 

First, I will explain why the problem is larger than just a security problem. Secu- 
rity is one dimension of a larger set of issues involving information privacy. Beyond 
securing data, the law must ensure that when there is a leak or improper access, 
the harmful effects are minimized. Doing this requires empowering individuals with 
tools to better manage their data. Moreover, making companies more accountable 
for their activities will promote better security, as well as better accuracy, in record 
systems. 

Second, I will discuss why the innovative role of the states should be preserved. 
Federal legislation must allow room for states to experiment with new approaches 
and solutions to the problem. Many current federal protections, as well as many of 
the ideas currently proposed to address the problem, are drawn from state laws. 

There are many more specific measures that can be taken to address the problems 
we are encountering today. Chris Hoofnagle of the Electronic Privacy Information 
Center and I have written a short essay called A Model Regime of Privacy Protec- 
tion, where we set forward succinctly a series of sixteen legislative proposals. We 
explain why these proposals are necessary and respond directly to the criticisms of 
our proposals by a wide array of individuals (some from the industries we propose 
regulating). The paper is currently available for free at: Daniel J. Solove & Chris- 
topher Hoofnagle, A Model Regime of Privacy Protection http://papers.ssrn.com/sol3/ 
papers.cfm?abstract id=699701 

I will avoid repeating the content of this paper, but I recommend that you read 
it as it may be helpful in crafting specific legislative solutions. 

II. BEYOND security: A PROBLEM OF MANY DIMENSIONS 

The litany of data leaks and improper access to personal data are the symptoms 
of a significant problem that Congress should address. It is important to understand 
the nature of the problem, as it extends far beyond just a security issue. In my re- 
cent book, The Digital Person: Technology and Privacy in the Information Age (NYU 
Press, December 2004), I observed that the central problem we face is caused by 
a lack of individual participation and empowerment when it comes to the collection 
and use of personal information as well as a lack of accountability among the com- 
panies that handle the data. In my book, I argued: 

We are increasingly living with digital dossiers about our lives, and these dos- 
siers are not controlled by us but by various entities, such as private-sector 
companies and the government. These dossiers play a profound role in our ex- 
istence in modern society.^ 

These repositories of personal information are used in ways that affect key as- 
pects of our lives: whether we get a loan, a license, or a job. However, despite these 
high stakes: 

At present, the collectors and users of our data are often not accountable to 
us. A company can collect a person’s data without ever contacting that person, 
without that person ever finding out about it. The relationship is akin to the 
relationship between strangers — with one very important difference: One of the 
strangers knows a lot about the other and often has the power to use this infor- 
mation to affect the other’s life.^ 

The problem is not that companies dealing with personal information are a bunch 
of evil-doers bent on harming people. The collection and use of personal information 
can have many benefits, and the goal of an effective protection of privacy is not to 
stop information flow, but to empower individuals with greater control over their 
data and to make companies more accountable for their uses of personal data. 

A. Individual Participation 

People lack much participation in how their data is used or disseminated. Per- 
sonal data is readily collected and disseminated without people’s knowledge and 
consent, thus increasing people’s vulnerability to identity theft, stalking, and other 
crimes. 


'Jon Swartz, Time Warner’s Personal Data on 600,000 Missing, USA Today (May 3, 2005). 
2 Daniel J. Solove, The Digital Person; Technology and Privacy in the Information 
Age 115 (2004). 

3/d. at 102. 



34 


Identity theft is rising at an staggering rate. In an identity theft, the thief uses 
a victim’s personal information to improperly access accounts, obtain credit in the 
victim’s name, or impersonate the victim for other purposes. In 2003, the FTC esti- 
mated that “almost 10 million Americans have discovered that they were the victim 
of some form of ID Theft within the past year.” ‘>- 

The law has attempted to deal with identity theft by enhancing criminal pen- 
alties, but this alone has been a dismal failure. The problem is that identity thieves 
are hard to catch. Gartner, Inc. estimates that only 1 in 700 thieves is successfully 
prosecuted.^ A report by the U.S. General Accounting Office describes in great detail 
the difficulties with criminal investigation and prosecution of identity theft cases.® 

In contrast, I noted in my book that: 

The identity thief s ability to so easily access and use our personal data stems 
from an architecture that does not provide adequate security to our personal in- 
formation and that does not afford us with a sufficient degree of participation 
in its collection, dissemination, and use. Consequently, it is difficult for the vic- 
tim to figure out what is going on and how to remedy the situation.'^ 

The problem is that the law does not afford people sufficient participation in the 
way that their information is managed. Identity theft is difficult for victims to de- 
tect because they have little knowledge about the information being circulated about 
them or how that data is being used. The victim’s lack of awareness is exploited 
by the identity thief, who can go on a spree of fraud in the victim’s name without 
the victim finding out about it. Therefore, solutions to the problem must provide in- 
dividuals with greater knowledge and control about how their data is used. 

B. Remedies for Harmed Individuals 

People must be provided meaningful remedies when their data is leaked or mis- 
used. Without meaningful remedies, mere notice of a leak would be akin to a com- 
pany saying: “We just had a toxic spill in your backyard. It might cause you harm, 
and so you might want to have periodic medical checkups.” The letter from 
ChoicePoint to the victims of its data breach began: 

I’m writing to inform you of a recent crime committed against ChoicePoint 
that MAY have resulted in your name, address, and Social Security number 
being viewed by businesses that are not allowed to access such information. We 
have reason to believe that your personal information may have been obtained 
by unauthorized third parties, and we deeply regret any inconvenience this 
event may cause you.* 

The letter recommended that people review their credit reports, and continue to 
check them for unusual activity. In other words, “we’ve had a spill, now you go and 
protect yourself” 

Certainly, requiring disclosure of security leaks is a good first step, but merely 
sending people a scary letter without providing them with sufficient rights and abili- 
ties to address the problems will not suffice. 

Identity theft, according to estimates, results in victims spending on average 200 
hours and thousands of dollars fixing the damage.® Becoming victimized by identity 
theft is akin to contracting a chronic protracted disease. Because people have so lit- 
tle participation and power over their information, it is very hard for them to cure 
themselves and clean up their records. Identity theft can be financially and emotion- 
ally crippling, and the law does little to help people who have been victimized. 
States, such as California, have adopted some effective measures to assist victims 
in dealing with identity theft.'® I believe that Congress should look to California’s 
measures as it crafts a federal law addressing these issues. 


■•Federal Trade Commission, Identity Theft Survey Report 4, 6 (Sept. 2003). For an ex- 
cellent account of the rise of identity theft, see Bob Sullivan, Your Evil Twin: Behind the 
Identity Theft Epidemic (2004). 

^ Stephen Mihm, Dumpster Diving for Your Identity, N.Y. Times Magazine, Dec. 21, 2003. 

®U.S. General Accounting Office, Report to the Honorable Sam Johnson, House of Representa- 
tives, Identity Theft: Greater Awareness and Use of Existing Data Are Needed 17-18 (June 
2002 ). 

■•Daniel J. Solove, The Digital Person; Technology and Privacy in the Information 
Age 115 (2004). 

* Letter from ChoicePoint to Californians Regarding the Data Breach (Feb. 9, 2005). 

®Janine Benner, Beth Givens, & Ed Mierzwinski, Nowhere To Turn: Victims Speak Out on 
Identity Theft: A CALPRIG / Privacy Rights Clearinghouse Report (May 2000), at http:// 
privacyrights.org/ar/idtheft2000. htm. 

•®The California Office of Privacy Protection maintains a comprehensive summary of Califor- 
nia’s privacy statutes: http://www.privacy.ca.gov/lawenforcement/laws.htm. 



35 


C. Deactivating Dangerous Data 

The data leaks that have occurred recently are made more harmful because of an- 
other type of security issue. SSNs, birth dates, and other pieces of personal data 
are used by other companies as passwords to obtain access to accounts or to sign 
up for a credit card. It would take great imagination to design a poorer security 
mechanism than the use of SSNs. This is akin to using a password that anyone can 
readily obtain in an instant. Companies routinely sell people’s SSNs, as it is not ille- 
gal to do so. SSNs are also available in many public records." This “password” can 
then unlock virtually any account or be used to sign up for credit cards. And it is 
very difficult to change it. As I argued in my book “the SSN functions as a magic 
key that can unlock vast stores of records as well as financial accounts, making it 
the identity thief s best tool [T]he government has created an identification num- 

ber without affording adequate precautions against its misuse.” 

If the practice of using SSNs as passwords were halted, the leakage of SSNs 
would not be as dangerous and damaging to individuals. In our paper, A Model Re- 
gime of Privacy Protection, Chris Hoofnagle and I propose: 

Companies shall develop methods of identification which (1) are not based on 
publicly available personal information or data that can readily be purchased 
from a data broker; and (2) can be easily changed if they fall into the wrong 
hands. Whereas Social Security Numbers cannot be changed without significant 
hassle, and dates of birth and mother’s maiden names cannot be changed, iden- 
tifiers such as passwords can be changed with ease. Furthermore, they are not 
universal, and thus a thief with a password cannot access all of a victim’s ac- 
counts — only those with that password. Biometric identifiers present problems 
because they are impossible to change, and if they fall into the wrong hands 
could prove devastating for victims as well as present ongoing risks to national 
security. Therefore, passwords are a cheap and effective way to limit much iden- 
tity theft and minimize the problems victims face in clearing up the damage 
caused by identity theft." 

If businesses and other private sector organization were restricted from using 
SSNs as passwords, improper access to people’s SSNs would not put people in such 
peril of identity theft and fraud. 

The Gramm-Leach-Bliley (GLB) Act of 1999 requires agencies that regulate finan- 
cial institutions to promulgate “administrative, technical, and physical safeguards 
for personal information.” " Despite the fact that FTC regulations under the 
Gramm-Leach-Bliley Act establish security standards for financial institutions to 
“[pjrotect against unauthorized access to or use of such information that could result 
in substantial harm or inconvenience to any customer,” " many financial institu- 
tions continue to allow easy access to records by using SSNs as passwords. In an 
article entitled. Identity Theft, Privacy, and the Architecture of Vulnerability,'^^ I ar- 
gued: 

The GLB Act requires a number of agencies that regulate financial institu- 
tions to promulgate “administrative, technical, and physical safeguards for per- 
sonal information.” On February 1, 2001, several agencies including the Office 
of the Comptroller of the Currency, the Board of Governors of the Federal Re- 
serve System, the Federal Deposit Insurance Corporation, and the Office of 
Thrift Supervision issued standards for safeguarding customer information. On 
May 23, 2002, the FTC issued similar security standards. Pursuant to the FTC 
regulations, financial institutions “shall develop, implement, and maintain a 
comprehensive information security program” that is appropriate to the “size 
and complexity” of the institution, the “nature and scope” of the institution’s ac- 
tivities, and the “sensitivity of any customer information at issue.” An informa- 
tion security program consists of “the administrative, technical, or physical safe- 
guards [institutions] use to access, collect, distribute, process, store, use, trans- 
mit, dispose of, or otherwise handle customer information.” The regulations set 
forth three objectives that a security program should achieve: 

(1) Insure the security and confidentiality of customer information; 


"SoLOVE, Digital Person, supra, at 115-17. 

"SoLOVE, Digital Person, supra, at 116. 

Daniel J. Solove & Christopher Hoofnagle, A Model Regime of Privacy Protection, at httpij 

! papers.ssrn.com I sol3 1 papers, cfm ? abstract id=69970 1 

" 15 U.S.C. § 6801(b) (requiring agencies to promulgate “administrative, technical, and phys- 
ical safeguards for personal information.”). 

"16 C.F.R. § 314.3(b) (2002). 

16 Daniel J. Solove, Identity Theft, Privacy, and the Architecture of Vulnerability, 54 Hastings 
L.J. 1227 (2003). 



36 


(2) Protect against any anticipated threats or hazards to the security or integ- 
rity of such information; and 

(3) Protect against unauthorized access to or use of such information that 
could result in substantial harm or inconvenience to any customer. 

The GLB Act is on the right track in its focus on information secu- 
rity . . . However, the regulations under the GLB Act remain rather vague as to 
the specific level of security that is required or what types of measures should 
be taken. The regulations require institutions to designate personnel to “coordi- 
nate” the information security program; and to “[i]dentify reasonably foresee- 
able internal and external risks to the security, confidentiality, and integrity of 
customer information.” These regulations establish rather broad obvious side- 
lines; they virtually ignore specifics. Of course, a rule that is too detailed in the 
standards it required could end up being ineffective as well . . . [S]uch resla- 
tions, if too specific, can quickly become obsolete, discourage innovation, and be 
costly and inefficient. However, rules that are too open-ended and vague can 
end up being toothless. Although security standards must not be overly specific, 
they must contain meaningful minimum requirements. 

Ultimately, the strength of the GLB Act’s security protections will depend 
upon how they are enforced 

Despite these new security provisions, companies continue to maintain lax se- 
curity procedures for the access of financial accounts and other personal data. 
Thus far, the FTC’s efforts have been somewhat anemic. With vigorous enforce- 
ment, security practices can change. But it remains uncertain whether the FTC 
and other agencies will undertake such a vigorous enforcement effort.*'' 

The FTC has not used the GLB Act to crack down on security, as the spate of 
security breaches in the news these days have occurred in spite of these regulations. 
The FTC could have concluded, for example, that the use of SSNs as passwords by 
so many financial institutions was an insufficient security procedure under the GLB 
standards. But it did not. Why hasn’t the FTC vigorously enforced these security 
standards? 

I can postulate two reasons. First, the security standards only apply to financial 
institutions rather than all the entities that process significant amounts of personal 
data. Second, they are rather vague, and as a result, they have not provided ade- 
quate guidance. To be effective, security standards must apply widely, not in a 
piecemeal fashion, and they must be more specific in nature (without being overly 
constraining). 

D. Accuracy 

Beyond identity theft, people lack the ability to easily locate and fix errors in their 
records that can cause them harm. Decisions are being made based on people’s dos- 
siers which are often riddled with inaccuracies. Although a recent Wall St. Journal 
article noted that ChoicePoint says that only .0008% of its 7.3 million background 
checks in 2004 had incorrect data, the authors had no difficulty finding a number 
of instances of people harmed by errors in ChoicePoint databases.*® In one study, 
90% of ChoicePoint’s reports obtained had at least one error.*® And there are nu- 
merous anecdotal stories reported in the media of significant errors in people’s re- 
ports.^** 

The issue of accuracy demonstrates a central problem — the companies maintain- 
ing personal data are often not accountable to the people to whom the data pertains. 
Because of this lack of accountability, there are insufficient incentives for data bro- 
kers to maintain their records accurately. The Fair Credit Reporting Act (FCRA) re- 
quires consumer reporting agencies to maintain procedures to ensure “maximum 
possible accuracy.” 2* However, many data brokers have databases that they claim 
fall outside of FCRA. And they gather data from various public record systems, 
which themselves might have errors. An error can infect various databases because 
of the fluidity by which personal information is transferred. Moreover, because peo- 


*'*/(?. at 45-46. The article is available online at: http://papers.ssrn.com/sol3/pa- 
pers.cfm? abstract id=416740 

*®Evan Perez & Rick Brooks, File Sharing: For Big Vendor of Personal Data, A Theft Lays 
Bare the Downside, Wall St. J., May 3, 2005, at Al. 

*® After the Breach: How Secure and Accurate is Consumer Information Held by ChoicePoint 
and Other Data Aggregators?, Before the California Senate Banking Committee, Mar. 30, 2005 
(testimony of Pam Dixon, Executive Director, World Privacy Forum). 

20 /d. /testimony of Elizabeth Rosen, Registered Nurse) (noting that the report wrongly re- 
ported that she owned a deli store); Bob Sullivan, ChoicePoint Files Found Riddled With Errors, 
MSNBC, Mar 8, 2005, available at http://www.msnbc.msn.com/id/7118767/ (noting that Deborah 
Pierce’s ChoicePoint report wrongly indicated a “possible Texas criminal history”). 

21 15 U.S.C. § 1681e(b). 



37 


pie are so out of the loop when it comes to the way their data is collected and used, 
they might not even discover the error. Little is done more systemically to ensure 
the accuracy of record systems used for background checks and other decisions 
about people’s lives. 

E. Closing the Gaps 

The security breaches we are facing today are part of a larger problem, one in- 
volving information privacy. This is not a problem that can be solved with what I 
call the “little more care and little more notice” approach. Certainly setting min- 
imum security standards and providing notice to consumers of security breaches are 
two important steps. But the larger problem is one of information privacy. In some 
contexts, personal information is widely collected, used, and disseminated without 
much control or limitation. Information today is protected in a piecemeal fashion 
based on who holds it. The same piece of data might be protected if held by a video 
rental store but completely unprotected in the hands of data brokers such as 
ChoicePoint or LexisNexis.^^ The current state of regulation of information is very 
porous, with tremendous gaps and loopholes. The result is that we have, in many 
respects, lost control over the way personal information is collected, managed, and 
used. We have a system that does not promote accountability among the users of 
personal information. We have a system that to a large extent leaves people out in 
the cold if victimized by identity theft or if harmed by an erroneous report. We have 
a system that thrusts on consumers the tremendous responsibility of guarding their 
digital dossiers, a difficult task when so many companies maintain data about them 
and when people have little knowledge that this is going on. Congress must put in- 
dividuals back in control of their data and ensure that companies are accountable 
for the way they handle and use that data. 

III. THE PROBLEM WITH PREEMPTION 

In any solution that Congress takes, the innovative role of the states must be pre- 
served. Thus, Congress should avoid preempting state laws when crafting federal 
legislation. 

Many of the ideas for reforming the information system in this country emerge 
from state laws. Justice Brandeis said it well: “It is one of the happy incidents of 
the federal system that a single courageous State may, if its citizens choose, serve 
as a laboratory; and try novel social and economic experiments without risk to the 
rest of the country.” This is especially important in such a rapidly changing field 
such as information privacy. Not all approaches work, and we need a way to test 
innovative solutions. Indeed, the law that required ChoicePoint to disclose its secu- 
rity breach was a California law. What if there were federal preemption and such 
a law never existed? Would we ever have found about the security breach? 

Federal legislation that preempts state law will not only shut down the real en- 
gines of innovation in the field, but it will have very detrimental long-term effects 
on federal legislation as well. The grist for federal legislation in privacy is often 
state regulatory ideas that have worked. The majority of privacy legislation has 
been enacted at the state level.^'* Many of the federal laws addressing privacy have 
adopted measures tried-and-tested in the states. The states first tried out the idea 
of telemarketing do-not-call lists. Many of the reforms in the 2003 federal Fair and 
Accurate Credit Transactions Act were based on prior state laws.^^ If Congress were 
to shut down this tremendous source of ideas, federal legislation will lose one of its 
primary developmental tools. Federal legislation in the future would suffer severely 
as a result. 

I have often heard companies say that it is too onerous complying with so many 
differing laws in all 50 states. Yet if the federal legislation sets a strong floor of 
protection, there will be little incentive for the states to do more. In other words, 
if the federal legislation solves the problems, then there will not be a need for the 
states to act. Additionally, historically, stronger protections have only been enacted 
by a handful of states, not all 50. So the reality is not 50 different standards, but 
a floor of protection for 90% of the states with the remaining 10% adopting a slight- 
ly more protective standards. Moreover, other industries have long dealt with dif- 
fering state protections, such as the auto industry and the insurance industry. Why 


22 Video Privacy Protection Act of 1998, Pub. L. No. 100-618, 18 U.S.C. §§2710-11. 

23New State Ice Co. v. Liebmann, 285 U.S. 262, 311 (1932) (Brandeis, J., dissenting). 

2“ Robert Ellis Smith, Compilation of State and Federal Privacy Laws (Privacy Journal 
2002 ). 

25 Edmund Mierzwinski, Preemption of State Consumer Laws: Federal Interference Is A Market 
Failure, Government, Law and Policy Journal of the New York State Bar Association, Spring 
2004 (Vol. 6, No. 1, pgs. 6-12). 



38 


are the burdens on data brokers any greater? What strikes me as most remarkable 
is that companies that manage billions of records of data and claim to be able to 
do so with remarkable depth, precision, and detail say that they cannot comply with 
a handful of states that have stronger protections. 

Most federal privacy laws have not preempted stronger state protections: the Elec- 
tronic Communications Privacy Act, the Right to Financial Privacy Act, the Cable 
Communications Privacy Act, the Video Privacy Protection Act, the Employee Poly- 
graph Protection Act, the Telephone Consumer Protection Act, the Driver’s Privacy 
Protection Act, and the Gramm-Leach-Bliley Act.^® In all these instances, companies 
have been able to comply with state laws. 

IV. CONCLUSION 

I am very encouraged that so many in Congress are interested in addressing the 
problems of data security and information privacy. My recommendations today are: 
(1) to focus on the larger problem by empowering individuals and making the users 
of data more accountable; and (2) to avoid preempting the states, as this will retard 
the development of privacy law for years to come. 

Mr. Stearns. I thank the gentleman. We are going to take a re- 
cess. We will quickly vote and we will be right back with the ques- 
tions from the Members of Congress. So thank you for your pa- 
tience. 

[Brief recess.] 

Chairman Barton. The Chair would recognize himself for 5 min- 
utes. I want to apologize for calling you back from your break, but 
I have got three meetings going on right now and so this would be 
my only chance to ask questions. 

This is not a Visa card; it is a MasterCard card, but I have got — 
it says Joe Barton, Campaign, Joe Barton. There is only one of 
these cards. I hardly ever use it. Five, six times a year maybe, once 
a month. I got a phone call Monday; somebody in Orlando, Florida 
had charged $3,500 at two different Wal-Marts on this card. Now, 
I have been in Wal-Mart; I have been in Orlando to Disneyworld 
back in January, but I never went to a Wal-Mart. And the people 
that use — they actually had a card, not just the number, they had 
the card. And they went in on two different occasions, charged 
around $3,500. So I got a phone call, and the lady on the phone 
said had I been to Orlando, Florida? I said yes. She said were you 
there over the weekend? And I said no. And so we determined that 
somebody else had used this card. 

Now, the gentleman from — I think Mr. Ireland is representing 
Visa. According to your testimony, there is a very sophisticated sys- 
tem to detect misappropriation or misuse of these cards, so I would 
assume that that is what happened with me, that it kicked in be- 
cause it was two large transactions and in an area that I showed 
almost no use, no geographic use. Is that correct? 

Mr. Ireland. That is correct. The financial institution — bank 
that issued that card and probably in combination with 
MasterCard has a system to track authorizations on the card to see 
whether they fit your pattern and to see whether they fit known 
fraud patterns. And so they spotted a transaction that they didn’t 
think was you 

Chairman Barton. Now, who ends up paying for those charges? 
Does Wal-Mart pay for them? Does the institution that issued this 
card pay for them? 


26 Respectively at 18 U.S.C. §2510 et. seq., 12 U.S.C §3401, 47 USC § 551(g), 18 USC § 2710(f), 
29 USC §2009, 47 USC § 227(e), 18 U.S.C. §2721, and Pub. L. No. 106-102, §§507, 524 (1999). 



39 


Mr. Ireland. Typically, in a card-present transaction, the insti- 
tution that issued the card will pay for it. 

Chairman Barton. Now what, if anything, will they do to try to 
actually track down the person who used this card fraudulently? 

Mr. Ireland. Well, typically, the card issuers will work with law 
enforcement based on the information they get to see if there is any 
way they can do it. We are talking in this case about the creation 
of counterfeit cards, which 

Chairman Barton. They actually had a card. It wasn’t just the 
number. 

Mr. Ireland. Exactly. Which has been a problem in the past and 
the credit card issuers have worked to develop security features in 
the card and other ways to combat card counterfeiting. But they 
have regular programs that are designed to prevent those kinds of 
fraud and to try to track them down 

Chairman Barton. Well, how would whoever got a fraudulent 
card — because I just almost never use this card. How would they 
have actually gotten the information, obtained the information to 
create the fraudulent card? 

Mr. Ireland. I obviously can’t answer that in this specific case. 
But it is possible to create fraudulent cards based on information 
that may be collected at the point of sale. I believe the Visa rules 
discourage or prevent the collection of that information, but some- 
times enough information is collected at point of sale to create a 
fraudulent card. No. 1. No. 2, plain old theft may be involved. 
Somebody may have been able to get a hold of the card, steal it 
for a period of time and replace it. 

Chairman Barton. I — now what? 

[Brief recess.] 

Mr. Stearns. If members are here, we are going to continue to 
go on. We have another full committee markup that we have to do 
in this room, and I think we have three out of the five, and we 
have the chairman here who is in the middle of his questions. So 
if the witnesses will please take their seats, and we shall continue. 
And with that, I recognize the chairman of the full committee, Mr. 
Barton. 

Chairman Barton. And, Mr. Chairman, I had about 2 minutes 
left on my clock, so if you want to 

Mr. Stearns. Well 

Chairman Barton, [continuing] reset the clock 

Mr. Stearns, [continuing] we will give you whatever you want, 
sir. 

Chairman Barton. Well, we just want to be fair. I was asking 
a series of questions based on my personal campaign credit card 
being stolen over — the number stolen and used down in Florida, 
what the safeguards are about that. But I want to go to the next 
line of questions. I want to ask Mrs. Barrett, I would like to outlaw 
the use of Social Security numbers for any purpose except govern- 
mental purposes. What is your reaction to that? 

Ms. Barrett. Well, I think that the Social Security number has 
become an identifier in many, many aspects of our lives. From a 
standpoint of Acxiom’s business, we limit its use to a very, very 
small number of instances. So the direct impact on something 
like — ^back to us would not be significant. But I am aware of in- 



40 


stances where it would create huge prohlems for either our clients 
or other businesses. And I 

Chairman Barton. Well, just this calendar year, we have had I 
think three instances of people breaking into data systems and 
stealing hundreds of thousands of records that had Social Security 
numbers attached to them with quite a bit of personal privacy in- 
formation. You know, I understand how ubiquitous the Social Secu- 
rity number is, and it is one of the few things that almost every 
American citizen has and even some non-citizens if they are work- 
ing in the country. But wouldn’t it be possible to create each data 
base its own identifier so we don’t have to use the Social Security 
number? 

Ms. Barrett. In many cases Acxiom does help our clients, who 
have the records on these consumers, create their unique customer 
identifiers. Social Security number, however, has become a key ele- 
ment in identifying someone’s identity when you are trying to es- 
tablish who that person is up front so that 

Chairman Barton. But you could do it without it. We have had 
banks a lot longer than we have had the Social Security system. 

Ms. Barrett. You could. I think we need to look carefully at 
whether it is government uses or other specific uses should be 

carved out and preserved because of the importance of it 

Chairman Barton. Mr. Burton 

Ms. Barrett, [continuing] restricting general uses. 

Chairman Barton. Mr. Burton, do you have a comment on that? 
Mr. Burton. No, I don’t. I think our view is if you are keeping 
any sort of data. Social Security numbers, any sensitive data, it 
should be encrypted so that even if it is pilfered, it doesn’t mean 
anything to the thieves. 

Chairman Barton. Okay. What about the gentleman, Mr. 
MacCarthy, who is representing Visa now. 

Mr. MacCarthy. Our sense is that the Social Security number 
is a key identifier in a lot of the data bases that are important for 
people who are issuing credit cards, when they are trying to deter- 
mine whether someone who is applying for credit has a good his- 
tory. The Social Security number is, in the current systems, a very 
important way of identifying that person and seeing whether that 
person has a good credit history. It is not impossible over time to 
move to a new system, but the legacy systems, the ones that exist 
now, the ones that help us fight identity theft and fraud all make 
heavy use of the Social Security number. And a government rule 
that said you simply can’t use that starting tomorrow would create 
havoc with those systems. So we would ask you to look carefully 
at the idea of restricting Social Security numbers to just govern- 
ment use. We think right now they are 

Chairman Barton. Well, I know that you 

Mr. MacCarthy. [continuing] legitimate commercial uses. 
Chairman Barton. I know that you are not trying to be argu- 
mentative and that you had a legitimate business point, but at 
what point do we say an individual’s privacy trumps that? Do we 
just say it is okay for these Social Security numbers to be stolen 
and used for all kinds of purposes for which they are not intended 
because of these legacy systems and all of the valid, legitimate 



41 


business reasons why it would be inconvenient to do something dif- 
ferently? 

Mr. MacCarthy. Two things: one is very often a way to fight 
identity theft and fraud, which hurts consumers, is through the ef- 
fective use of Social Security numbers. So if you take that weapon 
away from us, it might actually hurt in protecting people against 
identity theft and fraud. 

The second is there are some uses of Social Security that prob- 
ably should be restricted. You know, the idea that a Social Security 
number can be simply published on the Internet or made available 
for non-business uses, we think that that is the kind of thing that 
Congress may want to look upon and restrict. 

In terms of business practices, it is the current practice and 
maybe it should begin to be phased out — it is the current practice 
for Social Security numbers to be used as access numbers to gain 
access to accounts and other — and that may be something that 
should, over time, go away as well. The fact that that number is 
so readily available makes it very, very risky to use as an access 
device. 

Chairman Barton. And my time is about to expire, but as we 
get more and more information and more and more centralized, we 
have to do something. I mean we just have to. You cannot have an 
individual or a family that their whole financial records, their med- 
ical records, all kinds of consumer data is just out there without 
their permission. And the Social Security number ties that all to- 
gether and it is so easy for the criminal elements — we have had 
testimony that organized crime is moving in to identity theft. And 
so I know there are legitimate business reasons why it is done, but 
I think the time has come to tip the balance in the favor of the in- 
dividual privacy and find another way to help businesses determine 
the identity of people they want to give credit to. With that, Mr. 
Chairman, I yield back. I thank the witnesses for the inconven- 
ience. 

Mr. Stearns. Just following up with what the chairman said, 
there is some talk about a second factor ID authentication, and 
they gave me this card, Mr. Chairman, where, instead of putting 
your Social Security number, what you would do is put your name 
and then they would ask you, based upon the permutations in this 
card, you would give them a number off a card. And rather than — 
I think that is what you talked about a little bit, Mr. Burton. You 
might tell the chairman here just before he goes what this second 
factor ID authentication would do which possibly could replace So- 
cial Security. 

Mr. Burton. Yes, well, second factor authentication is an access 
card and a way to identify a user. I think what it would not do is 
identify a user in a data base, which I think is what a lot of Social 
Security numbers do. But what a lot of security experts are saying, 
we have got to have, for everyone holding sensitive information, 
says the FDIC recommendation, is to use second factor authentica- 
tion. And that means not only something that you know, which are 
passwords which you give you access to an account, but something 
that you physically have. So even if your password is compromised, 
the thieves still can’t get access. The problem with this technology 



42 


to date is that it is quite expensive. It can run $40, $50 per year 
per user. And so for mass applications, it is simply not feasible. 

And the solution that Chairman Stearns and I were discussing 
is called Identity Guard. Entrust just released it about 4 months 
ago. And what you do is you enter your user name and password 
in your account; you then have a card with a unique scrambled set 
of numbers and letters unique to you, and much like bingo, you are 
prompted to say, well, what is in column A-1, B-3, C-4, and then 
you fill in the numbers from this unique card and get access to 
your account. 

What is interesting about this is that that prompt changes every 
time you log in. So it is not that there is one pin number, there 
is one password that someone has to steal to get access to your ac- 
count. Very inexpensive, very easy to deploy, mass market applica- 
tion, and I think these are the kinds of technologies that the pri- 
vate sector is starting to come up with to address questions of ac- 
cess to sensitive information. 

Mr. Stearns. Thank you. You know, listening to your opening 
statements I sort of put together I think about seven different 
things that would possibly be in a bill. And I am not sure we would 
all agree upon these factors. But I thought I would take each one 
and ask you if you agree or disagree. The first I heard was uniform 
national notification standards for consumers in the event of a 
breach. Does anybody not agree with that being part of the bill? 
Okay. So 

Mr. Burton. Just a 

Mr. Stearns. Yes. 

Mr. Burton, [continuing] point of clarification for breach of 
unencrypted personal information. I think that is how most of the 
State laws read 

Mr. Stearns. Okay 

Mr. Burton, [continuing] so that if there is a breach and the 
data is encrypted, no one can read it, and so there shouldn’t be a 
notification requirement. 

Mr. Stearns. Okay. 

Mr. MacCarthy. Mr. Chairman 

Mr. Stearns. Yes, sir. 

Mr. MacCarthy. The one thing we would add to that is compli- 
ance with the guidelines that have been put in place by the Federal 
banking regulators should count as compliance with the national 
standard that is put in place in the legislation. 

Mr. Stearns. Okay. Good point. The second is Federal preemp- 
tion with all the States. Anybody disagree with that? Okay. The 
third is establish an official agency role over public data providers. 
This was mentioned. Sort of a government agency having broad 
powers, something like the SEC, dealing with privacy. Does any- 
body disagree with that or not? It is a little more controversial. 
And, Ms. Barrett, I think you sort of might have some objection to 
that. 

Ms. Barrett. Well, I don’t know that I have objection. I think 
that information providers have a responsibility to safeguard the 
information and use it for responsible purposes. And if there are 
enough bad actors out there that are using information irrespon- 



43 


sibly, we want those out of the marketplace. And if it takes a regu- 
lating agency to do it, then we will support that. 

Mr. Stearns. Okay, so that is — yes. This is pretty important 
now. What you are saying is a government regulating agency 
should he put in place to help and control, and, you know, you have 
got to he careful what you ask for here. 

Mr. MacCarthy. The only point I would ask is that the com- 
mittee recognize the important role that the Federal hanking regu- 
lators already play in that area 

Mr. Stearns. Okay. 

Mr. MacCarthy. [continuing] their privacy requirements and 
their security requirements, notification requirements that are al- 
ready administered hy the hanking agencies and hy the Federal 
Trade Commission. And I don’t think it would he a good idea to 
move enforcement from those agencies to a new agency. 

Mr. Stearns. Okay. So maybe the existing Federal Trade Com- 
mission or the existing whatever 

Mr. MacCarthy. Yes. 

Mr. Stearns, [continuing] Gramm-Leach-Bliley where 

Mr. MacCarthy. Yes, that would work. 

Mr. Stearns. Yes. Opportunity for consumers to inspect and cor- 
rect any information that is in their data base. Yes? 

Ms. Barrett. Today, we offer the consumer the right to do that. 
I think that it is — when it comes to correction, it is a complicated 
environment, so we need to explore how a correction takes place 
very carefully. But the concept that the information needs to be ac- 
curate, and when it is inaccurate, we need to figure out ways to 
deal with it is one we support. 

Mr. Stearns. The idea is for your consumer credit you can get 
access to see if it is correct. And so the theory is then why can’t 
you inspect incorrect data that has been collected to see if it is cor- 
rect too? 

Ms. Barrett. We actually offer the same inspection 

Mr. Stearns. Okay. 

Ms. Barrett, [continuing] of information in our fraud manage- 
ment systems. 

Mr. Stearns. I am not sure 

Ms. Barrett. And our 

Mr. Stearns, [continuing] everybody does though. 

Ms. Barrett. No. I don’t believe 

Mr. Stearns. And so the question, should the Federal Govern- 
ment step in and mandate that all data collection agencies have to 
provide access to consumers so they can see if the information is 
correct? That is a little sensitive because there is a lot there that 
deals with marketing and deals with 

Ms. Barrett. I was just about to say there are different cat- 
egories of data. 

Mr. Stearns. Right, different categories. 

Ms. Barrett. And so I think it is important to understand that 
when we want to put a standard of accuracy in and correction in 
and access in, that we need to do it in a way where the accuracy 
of the information is important to the decisionmaking process. We 
offer access today to all of our what we call reference products 



44 


where decisions are being made, identities are being verified with 
that information. 

We actually do not today offer access to our marketing products. 
We offer an opportunity to see what kind of data we might have 
about you and then the chance to opt out of that. But since you 
can’t opt out of identity systems like you can’t opt out of your credit 
report 

Mr. Stearns. Yes. 

Ms. Barrett, [continuing] the inspection process becomes more 
important. 

Mr. Stearns. Yes, it is a little more nuanced. Someone men- 
tioned to possibly have the security officer sign to corroborate the 
security at the agency that collects this information. Does anybody 
disagree with that? It is a little bit like Tosarbi and Zoshley in 
which the CEO has to sign the accounting — the P and L statement. 
So it sounds like you might accept that. 

The other idea is standard credentialing practices for customers 
desiring sensitive consumer data. Anybody object to that? 

Ms. Barrett. Let me just comment on that 

Mr. Stearns. Yes. 

Ms. Barrett, [continuing] I think that credentialing is extremely 
important. I would caution the committee in terms of how it de- 
fines credentialing because the tools we have for credentialing 
today will not be the same tools that we have in 5 or 10 years 

Mr. Stearns. Yes. 

Ms. Barrett, [continuing] and so if we do it in a way that allows 
the evolution of technology and other aspects to be accommodated 
within the requirement, it may be a good requirement. For in- 
stance, I think the Gramm-Leach-Bliley safeguards rule really ac- 
tually has an implication on credentialing because it says you must 
have physical, procedural, system, and so on, processes in place to 
keep the data protected from unauthorized use. And to me 
credentialing becomes a part of that. So I would just urge that the 
committee not consider too prescriptive an approach to accommo- 
date wherever we go with technology in the future. 

Mr. Stearns. My time is up. I think the last one I had was to 
encourage, perhaps through legislation, a technical solution for — 
well, let me — ^you know, instead of using your Social Security ID, 
to try and encourage some other way, work out so that you could 
access the information without using your Social Security ID. And 
that is sort of what we talked about in the Chairman Barton talk. 
So my time has expired. And with that, I recognize the ranking 
member. 

Ms. SCHAKOWSKY. Thank you, Mr. Chairman. Mr. Ireland, you, 
in your testimony, talked about significant risk of harm, and you 
went back to FTC chairwoman saying notices should be sent only 
if there is a significant risk of harm. How are we going to define 
significant risk of harm? 

Mr. Ireland. Well, I think there is obviously a drafting issue 
here as to precisely the verbiage you use in how you ensure that 
it doesn’t essentially gut the requirement. But there are numerous 
circumstances where identification information that could other- 
wise be used for identity theft, upon investigation you find out that 
it is clearly not going to be used for that purpose. 



45 


One thing we have seen is what might he called competitive espi- 
onage where one company manages to get a hold of the other com- 
pany’s customer list, and it includes identification information that 
might he used to open an account. But you know they have no in- 
tention of doing that. What they want to do is solicit the company’s 
customers. And a notice in those circumstances to the customer 
might serve some privacy interest, hut there is no real reason for 
the customer to go put a fraud alert on their account, for 
example 

Ms. ScHAKOWSKY. Well, who says that it is not of interest to the 
consumer in that even being solicited might, in their view — harm 
may not he the correct word, hut you heard my colleague, Ms. 
Cubin, talk about being notified about some breaches which, she 
said, thankfully are not going to result, she believes, in any illegit- 
imate use. But she, it seems to me, is glad to know that this infor- 
mation has been shared at the very least. And I can’t quote you 
exactly the source, but at one of the many hearings on privacy, ap- 
parently a data broker has testified that the unauthorized access 
of information by a former employee does not constitute a signifi- 
cant risk. I am just a little concerned that the owners of this infor- 
mation are deciding for me what I might consider to be significant 
harm and then choosing to not provide the information to me, that 
there has been a breach. 

Mr. Ireland. Well, I would agree with you. I think there is a ter- 
minology and a drafting challenge there because you don’t want the 
owners to have unlimited discretion to make that decision. Cur- 
rently, under the banking agency guidance, for example, banks are 
required to notify the banking agency about the breach, regardless 
of risk. And then they are supposed to notify based on risk stand- 
ard, and that is going to be worked out between the banks and the 
banking agencies. 

There are issues where information is disclosed that have impli- 
cations for privacy. There are issues where information is disclosed 
that have implication for credit card fraud. And there are issues 
where information is disclosed that have implications for identity 
theft in the form of opening accounts in somebody’s name that are 
fraudulent. And the actions that a consumer would want to take 
on the basis of those different classes of breaches are different. If 
you find that you are giving notices to consumers in all of those 
classes, you may find that the one where they really need to take 
action by putting a fraud alert, for example, on their file at a con- 
sumer reporting agency under the Fact Act, as passed by Congress 
in 2003, gets lost among other notices that are simply addressing 

potential privacy issues. So I think the 

Ms. ScHAKOWSKY. You know, I mean 

Mr. Ireland, [continuing] judgment needs to made 

Ms. ScHAKOWSKY. [continuing] let us not get too 

Mr. Ireland, [continuing] here 

Ms. SCHAKOWSKY. [continuing] patronizing though about what 
consumers can really handle. I mean, we may want to deal with 
how we communicate that and prioritize a sense of urgency. But 
isn’t it also true that financial institutions regulatory guidance 
doesn’t cover breaches of data about business customers, even 
small business customers who have business accounts? Mr. 



46 


MacCarthy said in your absence that we should import that stand- 
ard. And, you know, we are not covering all — I guess the guidance 
doesn’t cover all consumers but only customers. 

You know, we just need to make sure that — I think that we — pri- 
vacy is a huge deal to people. And I think it varies in its implica- 
tions, but people don’t even like the idea of people just picking 
through it. 

And with that, I just want to ask the question — I realize I am 
running out of time. How do I determine which data brokers have 
my information? I mean, does your company have information 
about me? How do we even know? We know about credit reports, 
we know how to check them, we can even get them free once a year 
now. But who has my information? How do I know if I want to 
know? Maybe each of you could quickly tell me how I know if you 
have got info on me? 

Ms. Barrett. Well, there are a couple ways if Acxiom had info 
on you that you might know about it. If you have a question about 
a client or about a business relationship and you ask them where 
did that information come from? They might well refer you to 
Acxiom if we provided the information for whatever that 
process 

Ms. SCHAKOWSKY. But they might not. 

Ms. Barrett. Well, we actually encourage our clients to do that. 
And so that is one avenue. 

Ms. ScHAKOWSKY. They don’t have to. 

Ms. Barrett. It becomes a customer service issue I think for 
them to 

Ms. SCHAKOWSKY. Okay. 

Ms. Barrett, [continuing] deal with — in terms of you — your rela- 
tionship with them since they are the business that you have a re- 
lationship with. 

Ms. SCHAKOWSKY. Okay. 

Ms. Barrett. On our website you can request, as I was talking 
earlier, a copy of the report of the information that we have since 
we do allow consumers to have access. Our web address is fairly 
well-known. While I don’t think all consumers know it, many, 
many do, and you can easily get to it from privacy websites and 
a number of other places. Those would be the two most common 
ways. 

Ms. ScHAKOWSKY. If we knew about Acxiom we could do that, 
but, you know, most consumers haven’t got a clue of who is even 
controlling their information. Do you know what I am saying? Is 
there a website I could go to to say well, here is a whole list of data 
brokers? Here is a whole list of people — I mean, I know who my 
credit card companies are, so I can go there. But these other busi- 
nesses that may have my information and are in the business of 
information are really not very well-known to people. 

Ms. Barrett. I think that is accurate. And we have actually 
talked about whether or not there should be a directory if you will 
or a website where consumers could go and learn who we are. We 
are certainly not trying to stay in the dark. 

Ms. SCHAKOWSKY. Thank you. 

Mr. Buege. In our case at West we really don’t originate any of 
this information. We obtain it from the credit bureaus and other 



47 


aggregators. So in our case if you were to ask us what we have, 
we would certainly happily and do happily share that with con- 
sumers even though, again, we don’t serve consumer markets di- 
rectly. And the answer is it all comes from upstream, so what we 
end up doing is referring you to the source of the data to have it 
corrected, removed, whatever. 

Mr. Ireland. The only information we would have would he de- 
rivative of the Visa card that you have with your bank. And we act 
as a servicer to your bank in processing some of that information, 
as do other servicers. And the place to start to know where that 
information is is with your bank if it gave you the Visa card. 

Mr. Burton. Entrust is a security software company so we are 
not a data broker, and we help banks and data brokers protect in- 
formation, but we don’t hold any ourselves. 

Ms. SCHAKOWSKY. Thank you all. 

Mr. Stearns. I thank the gentlelady. The gentlelady from Ten- 
nessee. Okay. Okay. I think what we are going to do is a second 
round here. We appreciate having this expertise here. 

Mr. Ireland, your testimony states that Visa believes that all 
holders of sensitive information about consumers should be subject 
to the same rules. Why shouldn’t different types of information be 
treated differently? Should data security laws differentiate between 
companies that maintain customer data and those that handle non- 
customer data? 

Mr. Ireland. Well, the current banking rules, for example, dif- 
ferentiate — well, depending on whether or not you are the customer 
or the bank. But Visa adopted the CISP program, for example, be- 
cause it saw gaps in the banking agency 501(b) and the FTC 501(b) 
guidance and standards like that. There was some discussion ear- 
lier about whether the banking agency standard or the FTC stand- 
ard is precisely the right standard. And there is no standard that 
can’t be improved in my mind. 

But standards like that ought to apply, we believe, to classes of 
information that would be considered sensitive. And obviously 
other classes, more sophisticated information systems such as cred- 
it reporting agencies are already subject to the Fair Credit Report- 
ing Act. But a basic security standard in our view ought to be 
adopted for a level of information. And it is characterized in my 
testimony as sensitive, and you have to sort out what that is. 

One of the problems with current State legislation is that dif- 
ferent States are defining sensitive information differently. And 
what you consider sensitive information depends in part on the dia- 
log I had with Ms. Schakowsky about what you are trying to pro- 
tect. If you are trying to protect against identity theft, the informa- 
tion is the type of information that would enable somebody to open 
an account with a financial institution, which is information speci- 
fied in rules under Section 326 of the U.S.A. Patriot Act for exam- 
ple. 

If you were talking about credit card account information, that 
is a somewhat different set of information. If you are talking about 
privacy interests, you are covering a still broader set of informa- 
tion, but you are still not probably covering information that is not 
personally identifiable. So as you go about that task I think yes, 
you have to differentiate between classes of information. But for 



48 


the same class of information, the same rules ought to apply, re- 
gardless of who has that information I would think. 

Mr. Stearns. If you could waive a wand, do you think Gramm- 
Leach-Bliley needs to be changed at all? 

Mr. Ireland. I think Gramm-Leach-Bliley has done a very good 
job of doing what it set out to do, which was to have financial insti- 
tutions get control of their uses of personal information and give 
consumers an opportunity to opt out of certain uses of that infor- 
mation. And that has happened. And I think you have a very high 
level of compliance with that statute. But obviously there is per- 
sonal information that is outside the scope of that statute, and the 
unauthorized use and access to that information creates risks to 
consumers and we think ought to be addressed by security stand- 
ards. 

Mr. Burton. Mr. Chairman 

Mr. Stearns. Yes 

Mr. Burton, [continuing] if I could just comment 

Mr. Stearns. Go ahead. Sure, Mr. Burton. 

Mr. Burton, [continuing] on Gramm-Leach-Bliley, because I 
think actually the security safeguards in Gramm-Leach-Bliley are 
extremely interesting, and I think that we may need to do more. 
But if you look at what they talk about in terms of what organiza- 
tions should do to protect security, they don’t talk about tech- 
nology, they don’t talk about mandates. They really talk about 
sound business practices like having a risk assessment for your 
personal data, making sure there is a security officer in charge of 
it, making sure that there is regular audits. And I think these 
kinds of activities are ultimately what is going to drive greater se- 
curity. 

And in the work that Entrust has done, including a Department 
of Homeland Security Committee we co-chaired, we focused really 
on information security as a corporate governance issue. And so to 
the extent that you get CEOs and Boards of Directors focused on 
this and with regular ports going to them about the state of the 
security in their organizations, suddenly you will see big progress 
in the way that data is protected and secured. 

Mr. Stearns. Mr. Buege, we haven’t talked about in the event 
that there are violations and penalties. And do you think monetary 
penalties are appropriate for entities that disregard basic data base 
security due to, you know, lack of preparation, due diligence, not 
following good industry practices? And if so when should a data 
broker be sanctioned with a fine? 

Mr. Buege. I think I would say yes, that if a data broker is not 
exercising appropriate diligence in terms of safeguarding the infor- 
mation, in terms of securing access to it appropriately, that sanc- 
tions would be an appropriate remedy. I am not sure I can specu- 
late on, you know, what sorts of sanctions or the magnitude of 
those but 

Mr. Stearns. Do you think it should be monetary or 

Mr. Buege. Why not? I mean, I wouldn’t object to some measures 
like that in place. I mean, I think if that is what it takes to moti- 
vate companies to properly protect this information and to act re- 
sponsibly in terms of access and systems integrity, I would have no 
objection to it. 



49 


Mr. Stearns. Anybody else — I mean, that is another area we 
haven’t talked about in the event that we do find somebody who 
is negligent. What kind of penalty should be enforced or is there, 
you know, a warning or what? I mean, depending upon obviously 
the offense, but if you have any feel on that, anybody else? 

Ms. Barrett. I would agree. 

Mr. Stearns. Okay, all right. Well, my time has expired on that, 
so the gentlelady from Tennessee. 

Ms. Blackburn. Thank you, Mr. Chairman. And I want to thank 
each of you for your indulgence. I had just arrived when we had 
to depart. So I thank you for this. And I think it does, Mr. Chair- 
man, point out the importance of testimony being submitted early 
because it does allow us to read through that and to prepare and 
to be ready to come into the hearings. 

Ms. Barrett, I think want to begin with you if I may, please, 
ma’am. And I want to thank all of you for what you are doing and 
being with us here today. I represent an area in Tennessee that 
goes from Memphis to Nashville, and we have a lot of individuals 
that live in this district that are concerned with piracy, intellectual 
property theft, and, of course, a component of that is identity theft. 
And so we are pretty focused on this. The banking interests, the 
insurance interests that are in my district, the healthcare interests 
that are there, the identity theft comes up repeatedly. So we thank 
you for this. 

And, Ms. Barrett, in your testimony you explained an occurrence 
of a client illegally obtaining information from your server and how 
you went about handling that. And my question for you is based 
on — it was a July 1904 article that was in “U.S.A. Today” that ref- 
erenced an occurrence of hacking into your server by an individual 
who ran snipermail.com. So was Snipermail the client that you 
were referring to? 

Ms. Barrett. Yes, it is. 

Ms. Blackburn. It is, okay. All right. So they were a client and 
not just an outside intruder. And so would you explain the vetting 
process that you went through before agreeing to do business with 
Snipermail? 

Ms. Barrett. Yes, and let me clarify — let me describe the situa- 
tion. That 

Ms. Blackburn. Okay. 

Ms. Barrett, [continuing] might answer this plus other ques- 
tions. We have a file transfer server that our clients use when they 
want to send us a file of data to be processed. They would send 
that file to this server, and then we would reach outside of our 
main system, pick it up, and bring it inside our firewall. It was 
used 

Ms. Blackburn. Hold on just one moment. So that transfer serv- 
er is outside your normal firewall system? 

Ms. Barrett. Yes, it 

Ms. Blackburn. Okay. 

Ms. Barrett, [continuing] was password-protected with pass- 
words that each client was assigned. Sometimes the files were com- 
ing to us for processing, and then when we finished with that, 
sometimes we would put the file back on that server to be sent 
back to the client. In many cases the downstream use of that file 



50 


was actually by a vender of our clients. And in the case of 
Snipermail, there were actually two different breaches — or two dif- 
ferent individuals that breached the server in the same way in 
2003. One of them was from a client operation. The other one was 
from a vendor of a client. And we posted files on that server, and 
the client actually gave the vendor access to the server to come and 
pick up the files for subsequent processing. 

Ms. Blackburn. If I may follow up with you on that, then. So 
in your vetting process with your clients, are you including or re- 
quiring some type of vetting process for their vendors with which 
they plan to share that information? 

Ms. Barrett. We have talked about it since that incident. Since 
the client — this is client data, not Acxiom data, not part of our in- 
formation products. We actually rely on our client to do the vetting 
of their own vendors. 

Ms. Blackburn. And what is your accountability process with 
your clients regarding those vendor clients of theirs — the vendors 
of theirs? Because in essence the client is acting on the behalf of 
the vendor if you will. So therefore, you still have a contingent li- 
ability in that issue. 

Ms. Barrett. And what we have done since that incident is 
change rather dramatically the processes we use to distribute files 
to both clients and their vendors, tighten that process up. There 
are much stricter passwords that are required for that server. It is 
not a two-way server. There is a server for distribution and a serv- 
er for receipt. The passwords are changed and verified far more fre- 
quently than they were before. And we expect a credentialing proc- 
ess if you will to go on between our client and their vendor. 

Ms. Blackburn. Okay. Have you sold information on American 
consumers to foreign companies or foreign governments? 

Ms. Barrett. No. 

Ms. Blackburn. You have not. Okay, great. All right. I think my 
time is about out. Mr. Chairman, thank you. 

Mr. Stearns. I thank you. I thank you for coming. We are 
through with our questions so we are going to adjourn the sub- 
committee, but I want to thank you for the patience you had during 
the evacuation here. It is very unusual, but we appreciate you tak- 
ing the time to come back. We lost the GWU law professor, but we 
are going to submit questions to him to fulfill everything. But I 
think you have given us a good idea of what we should do. So your 
coming here today has helped sort of firm up some of the ideas we 
had on this bill, and we are hoping, I think, in due time here to 
get a bill. And so any other things that you might suggest — I have 
given you the outline, probably 7 or 8 of the things we are thinking 
about, some of them not as forcibly as the others, but you never 
know what can happen once you move out of the subcommittee to 
the full committee. But I am hoping we can mark this up in per- 
haps the next 30 days. So thank you very much for coming, and 
the subcommittee is adjourned. 

[Whereupon, at 1:37 p.m., the subcommittee was adjourned.] 

[Additional material submitted for the record follows:] 



51 


Prepared Statement of ARMA International 

ABOUT ARMA INTERNATIONAL 

Established in 1956, ARMA International (ARMA) is the non-profit membership 
organization for the records and information management profession. The 10,000 
members of ARMA include records and information managers, imaging specialists, 
archivists, technologists, legal administrators, librarians, and educators. Our mis- 
sion includes providing education, research, and networking opportunities to infor- 
mation management professionals, as well as serving as a resource to public policy 
makers on matters related to the integrity and importance of records and informa- 
tion. 

ARMA also serves as a recognized standards developer for the American National 
Standards Institute (ANSI), participating and contributing toward the development 
of standards for records and information management.' ARMA is also a charter 
member of the information and documentation subcommittee of the International 
Organization for Standardization (ISO), aiding in the development of its records 
management standard.^ 

Because of the essential role of effective and appropriate information management 
in today’s economy, ARMA International has a strong interest in issues pertaining 
to safeguarding consumer information and other personally identifiable information 
possessed by business and government. 

Records and information management plays an important role in the private sec- 
tor. In this new century, the most valuable commodity of business is information, 
often in the form of data bases of essential information required by the service sec- 
tors of our economy. The greatest responsibility for organizations will be managing 
and maintaining the integrity of an ever-growing flow of information, including the 
establishment of appropriate safeguards for sensitive information and in estab- 
lishing retention schedules complaint with regulatory and statutory requirements. 
Issues such as what information has intrinsic value and what information will be 
shared and with whom are critical to the future success of 21st century organiza- 
tions. These challenges call for increased recognition of the role of managing critical 
information and providing appropriate protections for personally identifiable infor- 
mation. 

Organizations that embrace information management as being strategic and mis- 
sion critical will ensure their competitive advantage and remain appropriate stew- 
ards of information that contains personal and private records. 

DATA security INITIATIVES NEED TO BE SENSITIVE TO A WIDE VARIETY OF FACTORS 

Americans demand security and privacy of their personally identifiable informa- 
tion. Identity theft complaints continue to rise.^ The establishment of new systems 
that allow easy access and transference of personally identifiable data between par- 
ties should to be sensitive to personal privacy and grant assurance to Americans 
that their data will not be misused or end up in the wrong hands. ARMA believes 
that these systems must incorporate the best practices of records and information 
management. 

Concerns have also begun to emerge with health care providers, financial institu- 
tions, and other users of consumer information sending personally identifiable infor- 
mation overseas for processing. This practice, known as “information offshoring” is 
becoming more and more common as organizations seek to curb costs by sending 
data to countries such as India, Pakistan, and Bangladesh for processing. Unfortu- 
nately, these nations lack any statutory controls for the protection personally identi- 
fiable information and it remains unclear whether existing U.S. laws, such as 
HIPAA, apply."* 


* “Managing Recorded Information Assets and Resources: Retention and Disposition Program” 
may be viewed at http://www.arma.org/standards/public/document review. cfm?DocID=22. 

2 “Information and documentation — Records management — Part 1: General” (ISO 15489- 
1:2001) (hereafter “ISO 15489-1”). ARMA fully supports ISO 15489-1. ARMA is currently devel- 
oping additional records management standards beyond ISO 15489. 

3 The Federal Trade Commission reported over 400,000 complaints of identity theft logged into 
its ID Theft Clearinghouse as of December 2003. See prepared statement of the Federal Trade 
Commission on Identity Theft: Prevention and Victim Assistance, presented hy Betsy Broder, 
Assistant Director, Division of Planning and Information, Bureau of Consumer Protection, before 
the Subcommittee on Oversight and Investigations of the House Committee on Energy and Com- 
merce (December 15, 2003). http://www.ftc.gov/os/2003/12/031215idthefttestimony.pdf. 

4 In a response to a letter from Representative Edward J. Markey asking whether HIPAA cov- 
ers personally identifiable information sent overseas for processing, Health and Human Services 

Continued 



52 


Of primary importance from a records and information management perspective 
is ensuring the privacy and security of the information. Whatever information man- 
agement systems are in place must ensure protection of the records and information 
in these two critical areas. Public sector agencies and private sector entities should 
not have access to personally identifiable information unless the information is es- 
sential to the organization’s work. It is important that public and private sector en- 
tities identify what information is actually mission critical, who within their organi- 
zations should have access to the information, and then ensuring that the informa- 
tion cannot be accessed by unauthorized parties. 

Established records and information management policies that follow best prac- 
tices concerning retention, disposition, categorization, maintenance, or disposal may 
apply to aggregated data just as they apply to records in other formats. ^ The re- 
quirements for protecting records during their use cannot simply be “added on” at 
the end of a technology implementation. These requirements are integral to the 
functioning of any system which stores, retrieves and protects information, and 
therefore must be considered during each phase from design to final implementation 
and system maintenance. 

WHY RECORDS RETENTION AND DESTRUCTION POLICIES ARE IMPORTANT FOR DATA 

SECURITY 

Information is among the most valuable commodities of any organization. In the 
case of organizations that possess, process, and use sensitive consumer information, 
this information is a part of the organization’s strategic business model. As such, 
these organizations have a significant responsibility to manage and maintain the in- 
tegrity and security of this information, including the implementation of appropriate 
safeguards against unauthorized use and the proper disposal of the information. 

ARMA notes that a significant risk of identity theft occurs at a point when a 
given record should be destroyed — and the best practices of records and information 
management and a record’s retention schedule would require not only appropriate 
measures to ensure destruction, but also the documentation of the destruction or 
final disposition action. 

Within the context of managing the life cycle of any information, assuring that 
records and information are destroyed appropriately — at the time and in the man- 
ner anticipated by the organization’s retention and disposition program, and in com- 
pliance with any applicable law or regulation — is as important and deserves the 
same level of attention and stewardship as assuring that the information is properly 
maintained — both for the use of an organization in pursuit of its business purposes 
as well as for safeguarding the information from improper use during the useful life 
of the information. The appropriate destruction of a record at the end of its life cycle 
will assist with efforts to curb identity theft, such as the growing problem of “dump- 
ster diving.” The same best practices will safeguard the misappropriation of records 
stored in electronic format. 

Safeguards and proper disposal are essential elements of an organization’s infor- 
mation retention and disposition program. ARMA believes that any safeguard re- 
gime for personally identifiable information must include the formal endorsement 
by senior management of a written records and information management program. 
This would include the appropriate investment in personnel, training and organiza- 
tion-wide communications. It would also ensure that third party relationships en- 
dorse the same safeguards with appropriate means of ensuring compliance. 

In today’s distributed work environments, a wide variety of individuals create 
records and must therefore take responsibility to ensure those records are captured, 
identified and preserved. It is no longer enough to train administrative staff and as- 
sume they will make sure the records end up in the records management program. 
All members of management, employees, contractors, volunteers and other individ- 
uals share the responsibility for capturing records so they can be properly managed 
throughout the length of their required retention period. 

ARMA’s comments are informed by recognized practices of documenting the dis- 
posal of information and records. ISO 15489-1 Clause 8.3.7, “Retention and disposi- 
tion®” provides: “Records systems should be capable of facilitating and implementing 


Secretary Tommy Thompson indicated it did not. See letter from Secretary Thompson to Rep- 
resentative Markey dated June 14, 2004 at http://www.house.gov/markey/Issues/iss 

health resp040614.pdf. 

5 See “Managing Electronic Messages as Records (formerly: Guideline for Managing E-mail)” 
(ANSI/ARMA-9-200X). 

® ISO 15489-1 Clause 3.9 defines “disposition” to mean “range of processes associated with 
implementing records retention, destruction or transfer decisions which are documented in dis- 
position authorities or other instruments”. ISO 15489-1 Clause 3.8 defines “destruction” to mean 



53 


decisions on the retention and disposition of records. It should be possible for these 
decisions to be made at any time in the existence of records, including during the 
design stage of records systems. It should also be possible, where appropriate, for 
disposition to be activated automatically. Systems should provide audit trails or 
other methods to track completed disposition actions.” 

ISO 15489-1 Clause 9.9, “Implementing disposition” provides in part: “The fol- 
lowing principles should govern the physical destruction of records — 

1) Destruction should always be authorized. 

2) Records pertaining to pending or actual litigation or investigation should not be 

destroyed. 

3) Records destruction should be carried out in a way that preserves the confiden- 

tiality of any information they contain. 

4) All copies of records that are authorized for destruction, including security copies, 

preservation copies and backup copies, should be destroyed.” 

The Fair and Accurate Credit Transactions Act of 2003 (FACT Act), approved by 
this Committee, contains a provision requiring the Federal Trade Commission and 
the various banking regulators to develop a disposal rule for sensitive customer in- 
formation. This rule may provide a model for businesses in other industry sectors 
for the appropriate disposal of personally identifiable information. In its comments 
to the disposal rules proposed by the Commission and the various banking regu- 
lators, ARMA strongly recommended that an orgnization’s safeguards include a for- 
mal, written records and information management program, consistent with ISO 
15489. 


CONCLUSION 

ARMA International applauds the leadership of Chairman Stearns and Ranking 
Member Schakowsky for examining the data security issue. ARMA recommends to 
the Subcommittee the best practices of records and information management as an 
effective element for any data security or safeguards initiatives or policies. 


Prepared Statement of Gail Hillebrand, Senior Attorney, Consumers Union 

SUMMARY 

Consumers Union,' the non-profit, independent publisher of Consumer Reports, 
believes that the recent announcements by ChoicePoint, Lexis-Nexis, and many oth- 
ers about the lack of security of our most personal information underscores the need 
for Congress and the states to act to protect consumers from identity theft. 

Identity theft is a serious crime that has become more common in recent years 
as we have delved further into the “information age.” According to the Federal 
Trade commission, 27.3 million Americans have been victims of identity theft in the 
past five years, costing businesses and financial institutions $48 billion and con- 
sumers $5 billion. Victims pay an average of $1,400 (not including attorney fees) 
and spend an average of 600 hours to clear their credit reports. The personal costs 
can also be devastating; identity theft can create unimaginable family stress when 
victims are turned down for mortgages, student loans, and even jobs. 

And as ongoing scandals involving ChoicePoint, Lexis-Nexis, and others point to, 
American consumers cannot fully protect themselves against identity theft on their 
own. Even consumers who do “everything right,” such as paying their bills on time 
and holding tight to personal information such as Social Security numbers and 
dates of birth, can become victim through no fault of their own because the compa- 
nies who profit from this information have lax security standards. 


“process of eliminating or deleting records, beyond any possible reconstruction”. Similarly, Draft 
Standard, Section 3, “Definitions,” defines “disposition” to mean “a range of processes associated 
with implementing records retention, destruction, or transfer decisions that are documented in 
the records retention and disposition schedule or other authorities. Draft Standard, Section 3 
defines “destruction” to mean “the process of eliminating or deleting records beyond any possible 
reconstruction.” 

' Consumers Union is a non-profit membership organization chartered in 1936 under the laws 
of the state of New York to provide consumers with information, education and counsel about 
goods, services, health and personal finance, and to initiate and cooperate with individual and 
group efforts to maintain and enhance the quality of life for consumers. Consumers Union’s in- 
come is solely derived from the sale of Consumer Reports, its other publications and from non- 
commercial contributions, grants and fees. In addition to reports on Consumers Union’s own 
product testing. Consumer Reports with more than four million paid circulation, regularly, car- 
ries articles on health, product safety, marketplace economics and legislative, judicial and regu- 
latory actions which affect consumer welfare. Consumers Union’s publications carry no adver- 
tising and receive no commercial support. 



54 


Therefore, Congress and the states must enact new obligations grounded in Fair 
Information Practices ^ on those who hold, use, sell, or profit from private informa- 
tion about consumers. In this context, Fair Information Practices would reduce the 
collection of unnecessary information, restrict the use of information to the purpose 
for which it was initially provided, require that information be kept secure, require 
rigorous screening of the purposes asserted by persons attempting to gain access to 
that information, and provide for full access to and correction of information held. 
Consumers Union recommends that lawmakers do the following: 

• Require notice of all security breaches: Impose requirements on businesses, 

nonprofits, and government entities to notify consumers when an unauthorized 
person has gained access to sensitive information pertaining to them. Con- 
sumers Union supports S. 751, by Senator Dianne Feinstein, which would put 
these requirements in place. We also believe that S. 768, introduced by Senator 
Charles Schumer and Senator Bill Nelson, will make an excellent notice of 
breach law. 

• Require and monitor security: Impose strong requirements on information bro- 

kers to protect the information they hold and to screen and monitor the persons 
to whom they make that information available. S. 768, as well as S. 500 and 
H.R. 1080, introduced by Senator Bill Nelson and Representative Ed Markey, 
respectively, would direct the Federal Trade Commission to develop such stand- 
ards and oversee compliance with them. 

• Give consumers access to and a right to correct information: Give individ- 

uals rights to see, dispute, and correct information held by information brokers. 
This is also addressed in the Schumer/Nelson and Nelson/Markey bills. 

• Protect SSNs: Restrict the sale, collection, use, sharing, posting, display, and 

secondary use of Social Security numbers. 

• Require more care from creditors: Require creditors to take additional steps 

to verify the identity of an applicant when there is an indicator of possible ID 
theft. 

• Grant individuals control over their sensitive information: Give individuals 

rights to control who collects — and who sees — sensitive information about them. 

• Restrict secondary use of sensitive information: Restrict the use of sensitive 

personal information for purposes other than the purposes for which it was col- 
lected or other uses to which the consumer affirmatively consents. 

. Fix FACTA: A consumer should be able to access more of his or her Fair and 
Accurate Credit Transactions Act (FACTA) rights, such as the extended fraud 
alert, before becoming an ID theft victim. Further, one of the key FACTA rights 
is tied to a police report, which victims still report difficulty in getting and 
using. 

• Create strong and broadly-based enforcement: Authorize federal, state, local, 

and private enforcement of all of these obligations. 

• Recognize the role of states: States have pioneered responses to new forms of 

identity crime and risks to personal privacy. Congress should not inhibit states 
from putting in place additional identity theft and privacy safeguards. 

• Provide resources and tools for law enforcement: Provide funding for law 

enforcement to pursue multi-jurisdictional crimes promptly and effectively. Law 
enforcement also may need new tools to promote prompt cooperation from the 
Social Security Administration and private creditors in connection with identity 
theft investigations. 

After a very brief discussion of the problem of identity theft, each recommendation 
is discussed. 


2 The Code of Fair Information Practices was developed by the Health, Education, and Welfare 
Advisory Committee on Automated Data Systems, in a report released two decades ago. The 
Electronic Privacy Information Center has described the Code as based on these five principles: 

1. There must be no personal data record-keeping systems whose very existence is secret. 

2. There must be a way for a person to find out what information about the person is in a 
record and how it is used. 

3. There must be a way for a person to prevent information about the person that was ob- 
tained for one purpose from being used or made available for other purposes without the per- 
son’s consent. 

4. There must be a way for a person to correct or amend a record of identifiable information 
about the person. 

5. Any organization creating, maintaining, using, or disseminating records of identifiable per- 
sonal data must assure the reliability of the data for their intended use and must take pre- 
cautions to prevent misuses of the data. 

Electronic Privacy Information Center, http://www.epic.org/privacy/consumer/code fair 

info.html. 



55 


The problem of identity theft is large and growing 

Current law simply has not protected consumers from identity theft. The numbers 
tell part of the story: 

• According to the Federal Trade Commission, 27.3 million Americans have been 

victims of identity theft in the last five years, costing businesses and financial 
institutions $48 billion, plus another $5 billion in costs to consumers. 

• Commentator Bob Sullivan has estimated that information concerning two million 

consumers is involved in the security breaches announced over just the six 
weeks ending April 6, 2005. Is Your Personal Data Next?: Rash of Data Heists 
Points to Fundamental ID Theft Problem, http://msnbc.msn.com/id/7358558 

• Based on a report to the FTC in 2003 which concluded that there were nearly 

10 million identity theft victims each year, Consumers Union estimates that 
every minute 19 more Americans become victims of ID theft. 

These numbers can’t begin to describe the stress, financial uncertainty, lost work- 
time productivity and lost family time identity theft victims experience. Even finan- 
cially responsible people who routinely pay their bills on time can find themselves 
in a land of debt collector calls, ruined credit and lost opportunities for jobs, apart- 
ments, and prime credit. With more and more scandals coming out every week, the 
time has come for Congress to act to protect the security of our personal informa- 
tion. 

Recommendations 

Notification: 

Notice of security breaches of information, whether held in computerized or paper 
form, are the beginning, not the end, of a series of steps needed to begin to resolve 
the fundamental conundrum of the U.S. information U.S. society: collecting informa- 
tion generates revenues or efficiencies for the holder of the information but can pose 
a risk of harm to the persons whose economic and personal lives are described by 
that information. 

The first principle of Fair Information Practices is that there be no collection of 
data about individuals whose very existence is a secret from those individuals. A 
corollary of this must be that when the security of a collection of data containing 
sensitive information about an individual is breached, that breach cannot be kept 
secret from the individual. Recognizing the breadth of the information that business, 
government, and others hold about individuals. Consumers Union recommends a no- 
tice of breach requirement that is strong yet covers only “sensitive” personal infor- 
mation, including account numbers, numbers commonly used as identifiers for credit 
and similar purposes, biometric information, and similar information. This sensitive 
information could open the door to future identity theft, so it is vital that people 
know when this information has been breached. 

Consumers Union supports a notice-of-breach law which does the following: 

• Covers paper and computerized data 

• Covers government and privately-held information 

• Does not except encrypted data 

• Does not except regulated entities 

• Has no loopholes, sometimes called “safe harbors” 

• Is triggered by the acquisition of information by an unauthorized person 

• Requires that any law enforcement waiting period must be requested in writing 

and be based on a serious impediment to the investigation 

• Gives consumers who receive a notice of breach access to the federal right to place 

an extended fraud alert. 

Consumers Union supports S. 751, which contains these elements. S. 768 contains 
most, but not all, of these elements and in certain other respects provides additional 
protections. 

Three of these elements are of special importance: covering all breaches without 
exceptions or special weaker rules for particular industries, covering data contained 
on paper as well as on computer, and covering data whether or not it is encrypted. 
First, a “one rule for all breaches” is the only way to ensure that the notice is suffi- 
ciently timely to be useful by the consumer for prevention of harm. “One rule for 
all” is also the only rule that can avoid a factual morass which could make it impos- 
sible to determine if a breach notice should have been given. By contrast, a weak 
notice recommendation such as the one contained in the guidance issued by the 



56 


bank regulatory agencies ^ cannot create a strong marketplace incentive to invest 
the time, money, and top-level executive attention to reduce or eliminate, future 
breaches. 

Second, unauthorized access to paper records, such as hospital charts or employee 
personnel files, are just as likely to expose an individual to a risk of identity theft 
as theft of computer files. Third, encryption doesn’t protect information from insider 
theft, and the forms of encryption vary widely in their effectiveness. Further, even 
the most effective form of encryption can quickly become worthless if it is not adapt- 
ed to keep up with changes in technology and with new tools developed by crimi- 
nals. 

A requirement to give notice of a security breach elevates the issue of information 
security inside a company. A requirement for swift, no-exemption notice of security 
breaches should create reputational and other marketplace incentives for those who 
hold sensitive consumer information to improve their internal security practices. For 
example, California’s security breach law has led to improved data security in at 
least two cases. According to news reports, after giving its third notice of security 
breach in fifteen months. Wells Fargo Bank ordered a comprehensive review of all 
its information handling practices. The column quoted a memo from Wells Fargo’s 
CEO stating in part: “The results have been enlightening and demonstrate a need 
for additional study, remediation and oversight ... Approximately 70 percent of our 
remote data has some measure of security exposure as stored and managed today.”"* 

In another example, UC Berkeley Chancellor Robert Bigeneau announced plans 
to hire an outside auditor to examine data gathering, retention, and security, telling 
employees: “I insist that we safeguard the personal information we are given as if 
it were our own.”^ This announcement followed the second announced breach of the 
security of data held by the University in six months, this one involving 100,000 
people.® 

In the Sarbanes-Oxley Act, Congress recognized the importance of the “tone at the 
top,” and for that reason took steps to require the corporate boards and CEOs work 
to improve the quality and accuracy of audited financial statements. A strong, clear 
notice of security breach law, without exceptions, could similarly focus the attention 
of top management on information security — creating an incentive for a “tone at the 
top” to take steps to minimize or eliminate security breaches. 

Security: 

Consumers Union supports S. 500 and H.R. 1080, introduced by Senator Bill Nel- 
son and Representative Ed Markey, respectively. These measures would direct the 
Federal Trade Commission (FTC)to promulgate strong standards for information se- 
curity and a strong obligation to screen customers, both initially and with respect 
to how those customers further protect the information from unauthorized use. They 
also provide for ongoing compliance monitoring by the FTC. S. 768, the Schumer/ 
Nelson bill, contains similar provisions. 

If Congress wanted to take even stronger steps with respect to information bro- 
kers, it could require information brokers to undergo annual audits, paid for by the 
broker and performed by an independent auditor retained by the FTC, with specific 
authority in the FTC to require corrective action for security and customer screen- 
ing weaknesses identified in the audit, as well as allowing the FTC to specify par- 
ticular aspects of information security that should be included in each such audit. 

Any federal information broker law must require strong protections in specific as- 
pects of information security, as well as imposing a broad requirement that security 
in fact be effective and be monitored for ongoing effectiveness. Congress must deter- 
mine the balance between the public interest in the protection of data and the busi- 
ness interest in the business of information brokering. Security breaches and the 


3 That weak recommendation allows a financial institution to decide whether or not its cus- 
tomers need to know about a breach, and the explanatory material even states that it can reach 
a conclusion that notice is unnecessary without making a full investigation. Interagency Guid- 
ance on Response Programs for Unauthorized Access to Customer Information and Customer No- 
tice, 12 CFR Part 30, 12 CFR Parts 208 and 225, 12 CFR Part 364, 12 CFR Parts 568 and 570. 
Other reasons why those guidelines are insufficient to substitute for a statutory requirement 
to give notice include that they do not apply to non-customers about whom the financial institu- 
tion has sensitive data, that there is no direct or express penalty for violation of the guideline, 
and that their case-by-case approach will make it extremely hard to determine in which cir- 
cumstances the guidance actually recommends notice to consumers, complicating the process of 
showing that an obligation was unmet. 

4D. Lazarus, “Wells Boss Frets Over Security,” S.F. Chronicle, Feb. 23, 2005. http:// 
sfgate.com/cgi-bin/article.cgi?file=/c/a/2005/02/23/BUGBHBFCRll.DTL 

^“Cal Laptop Security Put Under Microscope,” April 6, 2005, Inside Bay Area, http:// 
www.insidebayarea.com/searchresults/ci 2642564. 

® Opinion Page, Oakland Tribune, April 5, 2005. 



57 


effects on consumers of the ongoing maintenance of files on most Americans by in- 
formation brokers are issues too important to be delegated in full to any regulatory 
agency. 

Access and Correction: 

Two of the basic Fair Information Practices are the right to see and the right to 
correct information held about the consumer. S. 768, S. 500, and H.R. 1080 all ad- 
dress these issues. While the Fair Credit Reporting Act (FCRA) allows consumers 
to see and correct their credit reports, as defined by FCRA, consumers currently 
have no legal right to see the whole file held on them by an information broker such 
as ChoicePoint and Lexis-Nexis, even though the information in that file may have 
a profound effect on the consumer. There is also lack of clarity about what a con- 
sumer will be able to see even under the FCRA if the information broker has not 
yet made a report to a potential employer or landlord about that consumer.'^ 

Because the uses of information held by data brokers continue to grow and 
change, affecting consumers in m 3 Tiad ways, consumers must be given the legal 
right to see all of the information data brokers hold on them, and to seek and win 
prompt correction of that information if it is in error. 

Protection for SSNs: 

The Social Security number (SSN) has become a de facto national identifier in a 
number of U.S. industries dealing with consumers. Some proposals for reform have 
emphasized consent to the use, sale, sharing or posting of Social Security numbers. 
Consumers Union believes that a consent approach will be less effective than a set 
of rules designed to reduce the collection and use of sensitive consumer information. 

Take, for example, an analogy from the recycling mantra: “Reduce, reuse, recycle.” 
Just as public policy to promote recycling first starts with “reducing” the use of ma- 
terials that could end up in a landfill, so protection of sensitive personal information 
should begin with reduction in the collection and use of such information. Restric- 
tions on the use of the Social Security number must begin with restricting the ini- 
tial collection of this number to only those transactions where the Social Security 
number is not only necessary, but also essential to facilitating the transaction re- 
quested by the consumer. The same is true for other identifying numbers or infor- 
mation that may be called upon as Social Security numbers are relied upon less. 

Consumers Union endorses these basic principles for an approach to Social Secu- 
rity numbers: 

• Ban collection and use of SSNs by private entities or by government except where 

necessary to a transaction and there is no alternative identifier which will suf- 
fice. 

• Ban sale, posting, or display of SSNs, including no sale of credit header informa- 

tion containing SSNs. There is no legitimate reason to post or display individ- 
uals’ Social Security numbers to the public. 

• Ban sharing of SSNs, including between affiliates. 

• Ban secondary use of SSNs, including within the company which collected them. 

• Out of the envelope: ban printing or encoding of SSNs on government and private 

checks, statements, and the like 

• Out of the wallet: ban use of the SSN for government or private identifier, except 

for Social Security purposes. This includes banning the use of the SSN, or a var- 
iation or part of it, for government and private programs such as Medicare, 
health insurance, driver’s licenses or driver’s records, and military, student, or 
employee identification. Any provision banning the printing of SSNs on identi- 
fying cards should also prohibit encoding the same information on the card. 

• Public records containing SSNs must be redacted before posting. 

• There should be no exceptions for regulated entities. 

• There should be No exception for business-to-business use of SSNs. 

Congress should also consider whether to impose the same type of “responsibility 
requirements” on the collection, sale, use, sharing, display and posting of other in- 
formation that could easily evolve into a substitute “national identifier,” including 
drivers license number, state non-driver information number, biometric information 
and cell phone numbers. 

Creditor identity theft prevention obligations: 

Information is stolen because it is valuable. A key part of that value is the ability 
to use the information to gain credit in someone else’s name. That value exists only 


'^Testimony of Evan Hendricks, Editor/Publisher, Privacy Times before the Senate Banking 
Committee, March 15, 2005, http://banking.senate.gov/files/hendricks.pdf. 



58 


because credit granting institutions do not check the identity of applicants carefully 
enough to discover identity thieves before credit is granted. 

Financial institutions and other users of consumer credit reports and credit scores 
should be obligated to take affirmative steps to establish contact with the consumer 
before giving credit or allowing access to an account when there is an indicator of 
possible false application, account takeover or unauthorized use. The news reports 
of the credit card issued to Clifford J. Dawg, while humorous, illustrate a real prob- 
lem — creditor eagerness to issue credit spurs inadequate review of the identity of 
the applicant.* When the applicant is a dog, this might seem funny, but when the 
applicant is a thief, there are serious consequences for the integrity of the credit 
reporting system and for the consumer whose good name is being ruined. 

As new identifiers evolve, criminals will seek to gain access to and use those new 
identifiers. Thus, any approach to attacking identity theft must also impose obliga- 
tions on those who make that theft possible — those who grant credit, goods, or serv- 
ices to imposters without taking careful steps to determine with whom they are 
dealing. 

At minimum, creditors should be required to actually contact the applicant to 
verify that he or she is the true source of an application for credit when certain trig- 
gering events occur. The triggering events should include any of the following cir- 
cumstances: 

• Incomplete match on Social Security number 

• Address mismatch between application and credit file 

• Erroneous or missing date of birth in application 

• Misspellings of name or other material information in application 

• Other indicators as practices change 

Under FACTA, the FTC and the federal financial institution regulators are 
charged with developing a set of red flag “guidelines” to “identify possible risks” to 
customers or to the financial institution. However, FACTA stops with the identifica- 
tion of risks. It does not require that financial institutions do anything to address 
those risks once identified through the not-yet-released guidelines. The presence of 
a factor identified in the guidelines does not trigger a statutory obligation to take 
more care in determining the true identity of the applicant before granting credit. 
Congress should impose a plain, enforceable obligation for creditors to contact the 
consumer to verify that he or she has in fact sought credit when certain indicators 
of potential identity theft are present. 

Control for consumers over affiliate-sharing, use of information, use of credit reports 
and credit scores: 

Consumers are caught between the growth in the collection and secondary use of 
information about them on the one hand and the increasing sophistication of crimi- 
nals in exploiting weaknesses in how that information is stored, transported, sold 
by brokers, shared between affiliates, and used to access credit files and credit 
scores. 

Identity theft has been fueled in part by information-sharing between and within 
companies, the existence of databases that consumers don’t know about and can’t 
stop their information from being part of, the secondary use of information, and the 
granting of credit based on a check of the consumer credit file or credit score with- 
out efforts to verify the identity of the applicant.^ Consumers Union has consistently 
supported federal and state efforts to give consumers the legal right to stop the 
sharing of their sensitive personal information among affiliates. Finally, it is essen- 
tial to stopping the spread of numbers that serve as consumer identifiers that Con- 
gress and the states impose strong restrictions on the use of sensitive personal in- 
formation for purposes other than the purpose for which the consumer originally 
provided that information. 

Fix FACTA: 

FACTA has made some things more difficult for identity theft victims, according 
to information provided to Consumers Union by nonprofits and professionals who 
assist identity theft victims. Moreover, FACTA gives only limited rights to those 
who have not yet become victims of identity theft, and FACTA fails to offer a pure 


*Both the news stories about Clifford J. Dawg and a thoughtful analysis of the larger problem 
of too lax identification standards applied by creditors is found in C. Hoofnagle, Putting Identity 
Theft on Ice: Freezing Credit Reports to Prevent Lending to Impostors, in Securing Privacy in 
the Information Age (forthcoming from Stanford University Press), http://papers.ssrn.com/sol3/ 
papers. cfm? abstract id=650162. 

® Secondary use is use for a purpose other than the purpose for which the consumer gave the 
information. 



59 


prevention tool for all consumers. A consumer who asserts in good faith that he or 
she is about to become a victim of identity theft gets one right under FACTA — the 
right to place, or renew, a 90 day fraud alert. However, this type of alert places 
lower obligations on the potential creditor than the extended alert, which is re- 
stricted only to identity theft victims. 

A consumer should be able to access more of his or her FACTA rights, such as 
the extended fraud alert, before becoming an identity theft victim. One key FACTA 
right is tied to a police report, which victims still report difficulty in getting and 
using. 

Here are some key ways to make FACTA work for victims: 

• Initial fraud alert should be one year, not 90 days 

• Extended alert and other victims’ rights, other than blocking of information, 

should be available to all identity theft victims who fill out the FTC ID theft 
affidavit under penalty of perjury 

• Business records should be available to any consumer who fills out the FTC ID 

theft affidavit under penalty of perjury 

• Consumers who receive a notice of security breach should be entitled to place an 

extended fraud alert 

• Consumers who place a fraud alert have the right under FACTA to a free credit 

report, but this should be made automatic. 

There is also work to do outside of FACTA, including work to develop a police re- 
port that could be given to victims that is sufficiently similar, if not uniform, across 
jurisdictions, so that the victim does not find creditors or businesses in another ju- 
risdiction refusing to accept a police report from the victim’s home jurisdiction. 

Congress must encourage the states to continue to pioneer prompt re- 
sponses to identity crime: 

Virtually every idea on the table today in the national debate about stemming 
identity theft and protecting consumer privacy comes from legislation already en- 
acted by a state. Congress must not cut off this source of progress and innovation. 
Instead, any identity theft and consumer privacy legislation in Congress should ex- 
pressly permit states to continue to enact new rights, obligations, and remedies in 
connection with identity theft and consumer privacy to the full extent that the state 
requirements are not inconsistent with the specific requirements of federal law. 

Criminals will always be more fast-acting, and fast-adapting, than the federal 
government. An important response to this reality is to permit, and indeed encour- 
age, state legislatures to continue to act in the areas of identity theft and consumer 
privacy. Fast-acting states can respond to emerging practices that can harm con- 
sumers while those practices are still regional, before they spread nationwide. For 
example, California enacted its notice of security breach law and other significant 
identity theft protections because identity theft was a significant problem in Cali- 
fornia well before it became, or at least was recognized as, a national crime wave. 

Identity theft illustrates how much quicker states act on consumer issues than 
Congress. According to numbers released by the FTC, there were 9.9 million annual 
U.S. victims of identity theft in the year before Congress adopted the relatively mod- 
est rights for identity theft victims found in FACTA. The identity theft provisions 
adopted by Congress in FACTA were modeled on laws already enacted in states 
such as California, Connecticut, Louisiana, Texas, and Virginia.'® 

Strong and broadly-based enforcement: 

Consumers need effective enforcement of those obligations and restrictions Con- 
gress imposes in response to the increasing threats to consumer privacy, and of the 


loSee California Civil Code §§1785.11.1, 1785.11.2, 1785,16.1; Conn. SB 688 §9(d), (e). Conn. 
Gen. Stats. §36a-699; IL Re. Stat. Ch. 505 §2MM; LA Rev. Stat. §§9:3568B.l, 9:3568C, 9:3568D, 
9:3571.1 (H)-(L); Tex. Bus. & Comm. Code §§20.01(7), 20.031, 20.034-039, 20.04; VA Code 
§§18.2-186.31:E. 

The role of the states has also heen important in financial issues unrelated to identity theft. 
Here are two examples. In 1986, California required that specific information be included in 
credit card solicitations with enactment of the then-titled Areias-Robbins Credit Card Full Dis- 
closure Act of 1986. That statute required that every credit card solicitation to contain a chart 
showing the interest rate, grace period, and annual fee. 1986 Cal. Stats., Ch. 1397, codified at 
California Civil Code § 1748.11. Two years later, Congress chose to adopt the same concept in 
the Federal Fair Credit and Charge Card Disclosure Act (FCCCDA), setting standards for credit 
card solicitations, applications and renewals. P. L. 100-583, 102 Stat. 2960 (Nov. 1, 1988), codi- 
fied in part at 15 U.S.C. §§1637(c) and 1610(e). The implementing changes to federal Regulation 
Z included a model form for the federal disclosure box which is quite similar to the form re- 
quired under the pioneering California statute. 54 Fed. Reg. 13855, Appendix G. 



60 


growth of identity theft. A diversity of approaches strengthens enforcement. Each 
statutory obligation imposed by Congress should be enforceable by federal agencies, 
the federal law enforcement structure with the Attorney General and U.S. Attor- 
neys, and State Attorneys General. Where a state is structured so that part of the 
job of protecting the public devolves to a local entity, such as a District Attorney 
or City Attorney, those local entities also should be empowered to enforce anti-iden- 
tity theft and privacy measures in local civil or, where appropriate, criminal courts. 

There is also a role for a private right of action. It is an unfortunate reality in 
identity theft is that law enforcement resources are slim relative to the size of the 
problem. This makes it particularly important that individuals be given a private 
right of action to enforce the obligations owed to them by others who hold their in- 
formation. A private right of action is an important part of any enforcement matrix. 

Money and tools for law enforcement: 

Even if all the recommended steps are taken, U.S. consumers will still need vig- 
orous, well-funded law enforcement. At a meeting convened by Senator Feinstein 
which included some twenty representatives of law enforcement, including police de- 
partments, sheriffs, and District Attorneys, law enforcement uniformly proposed 
that they be given tools to more effectively investigate identity theft. Law enforce- 
ment costs money, and the law enforcers noted that the multi-jurisdictional nature 
of identify theft increases the costs and time, it takes to investigate these crimes. 

Law enforcers in California and Oregon have noted a strong link between identity 
theft crime and methamphetamine. The Riverside County Sheriff noted at a March 
29, 2005 event that when drug officers close a methamphetamine lab, they often 
find boxes of fake identification ready for use in identity theft. The drug team has 
closed the lab; without funding for training and ongoing officer time, there may be 
no investigation of those boxes of identities. 

To prove a charge of attempted identity theft, a prosecutor may need to prove that 
the real person holding a particular driver’s license number, credit or debit card 
number, or Social Security number is different from the holder of the fake ID. Doing 
this may require the cooperation of a state Department of Motor Vehicles, a finan- 
cial institution, or the Social Security Administration. The public meetings of the 
California High Tech Crimes Advisory Committee have including discussion of the 
difficulties and time delays law enforcement investigators encounter in trying to ob- 
tain this cooperation. Confess should work with law enforcement and groups rep- 
resenting interest in civil liberties to craft a solution to verifying victim identity that 
will facilitate investigation of identity theft without infringing on the individual pri- 
vacy of identity theft victims and other individuals. 

Law enforcement may have more specific proposals to enhance their effectiveness 
in fighting identity theft. Consumers Union generally supports: 

• Funding for regional identity theft law enforcement task forces in highest areas 

of concentration of victims, and of identity thieves 

• Funding for investigation and prosecution 

• An obligation on creditors, financial institutions, and the Social Security Adminis- 

tration to provide information about suspected theft-related accounts or num- 
bers to local, state, and federal law enforcement after a simple, well designed, 
request process 

Consumers Union believes that the time has come for both Congress and state 
legislatures to act to stem identity theft through strong and meaningful require- 
ments to tell consumers of security breaches; strong and detailed security standards 
and oversight for information brokers, reining in the use of Social Security numbers, 
increased control for consumers over the uses of their information, and obligations 
on creditors to end their role in facilitating identity theft through lack of care in 
credit granting. This should be done without infringing on the role of the states, 
with attention to the need to fund law enforcement to fight identity theft, and with 
attention to the need for private enforcement by consumers. We look forward to 
working with the Chair and members of the Committee, and others in Congress, to 
accomplish these changes for U.S. consumers. These recommendations by Con- 
sumers Union have heen informed by the work of victim assistance groups, privacy 
advocates, and others. 


uMany law enforcers, victim assistance workers, and consumer and privacy advocates were 
engaged in the issue of identity theft prevention long before the most recent ChoicePoint secu- 
rity breach came to light. Consumers Union has worked closely for many years on efforts to fight 
identity theft and protect consumer financial privacy with other national groups, and with con- 
sumer privacy and anti-identity theft advocates and victim assistance groups based in Cali- 
fornia. Our views and recommendations are strongly informed by the experiences of consumers 



61 


reported to us by the nonprofit Privacy Rights Clearinghouse, the nonprofit Identity Theft Re- 
source Center, and others who work directly with identity theft victims. These groups have 
worked to develop the state laws that are the basis for many of the proposals now being intro- 
duced in Congress. Consumers Union is grateful for the leadership of the Privacy Rights Clear- 
inghouse in consumer privacy policy work, the work of the state PIRGs and U.S.PIRG on con- 
sumer identity theft rights which includes the preparation of a model state identity theft statute 
in cooperation with Consumers Union, for the work for consumers on the accuracy of consumer 
credit reporting issues done over the past decade by the Consumer Federation of America and 
U.S. PIRG, and for the contributions to the policy debate of organizations such as the Electronic 
Privacy Information Center, Privacy Times, and others too numerous to mention. 

O 



